Skip to content

Added note about app migration domains #131

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
sir-axolotl-alot wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Added note about app migration domains #131

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
72 changes: 38 additions & 34 deletions docs/capabilities/http-fetch.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,26 +23,30 @@ devvit.json

### Requesting a domain to be allow-listed

:::note
If you're porting a Data API app as part of our [App Migration Programs](https://www.reddit.com/r/Devvit/comments/1sgwkm7/bring_your_data_api_apps_to_devvit_and_details/) you may be eligible for special fetch domain exceptions. Please list at the top of your Devvit app's README.md file which Data API app you are migrating, and which domains you need access to. Our App Review team will provide exemptions for program participants
:::

Apps may request a domain to be added to the allow-list by specifying domains in the http configuration. This configuration is optional, and apps can still configure http: true as before.

Requested domains will be submitted for review when you playtest or upload your app. Admins may approve or deny domain requests.

Domain entries must be exact hostnames only, such as nytimes.com or wikipedia.org. These fetch requests are not allowed:

* Be specific. No using \*.example.com when you need api.example.com
* No wildcards: \*.example.com
* No protocols: https://api.example.com
* No paths: api.example.com/webhooks
- Be specific. No using \*.example.com when you need api.example.com
- No wildcards: \*.example.com
- No protocols: https://api.example.com
- No paths: api.example.com/webhooks

Domains that are approved for your app will be displayed in the Developer Settings section for your app at `https://developers.reddit.com/apps/{your-app-slug}/developer-settings`. These domains are allow-listed for **your app only** and not globally.

Apps must request each individual domain that it intends to fetch, even if the domain is already globally allowed. See the [global fetch allowlist](#global-fetch-allowlist) to view the list of globally allowed domains.

## Limitations

* Access is only allowed to https URIs.
* Supported HTTP methods: GET, POST, PUT, DELETE, OPTIONS and PATCH.
* HTTP timeout limit is 30 seconds.
- Access is only allowed to https URIs.
- Supported HTTP methods: GET, POST, PUT, DELETE, OPTIONS and PATCH.
- HTTP timeout limit is 30 seconds.

## Example usage

Expand Down Expand Up @@ -71,10 +75,10 @@ console.log('External API response:', data);

Client-side fetch has different restrictions:

* **Domain limitation**: Can only make requests to your own webview domain
* **Endpoint requirement**: All requests must target endpoints that start with /api
* **Authentication**: Handled automatically \- no need to manage auth tokens
* **No external domains**: Cannot make requests to external domains from client-side code
- **Domain limitation**: Can only make requests to your own webview domain
- **Endpoint requirement**: All requests must target endpoints that start with /api
- **Authentication**: Handled automatically \- no need to manage auth tokens
- **No external domains**: Cannot make requests to external domains from client-side code
client/index.ts

```
Expand All @@ -101,16 +105,16 @@ const handleFetchData = async () => {

## Troubleshooting

The following error means HTTP Fetch requests are hitting the internal timeout limits.
The following error means HTTP Fetch requests are hitting the internal timeout limits.

```
HTTP request to domain: <domain> timed out with error: context deadline exceeded.
```

To resolve this:

* Use a queue or kick off an async request in your back end. You can use [Scheduler](https://developers.reddit.com/docs/capabilities/server/scheduler) to monitor the result.
* Optimize the overall HTTP request latency if you have a self-hosted server.
- Use a queue or kick off an async request in your back end. You can use [Scheduler](https://developers.reddit.com/docs/capabilities/server/scheduler) to monitor the result.
- Optimize the overall HTTP request latency if you have a self-hosted server.

## Global fetch allowlist

Expand Down Expand Up @@ -154,35 +158,35 @@ These domains are globally allowed and can be fetched by any app.

Allow-listed domains fall into three categories:

1. **APIs that provide data or specific services** (e.g., api.openai.com, api.wikipedia.org) \- These will be approved if they have a **publicly documented and publicly accessible API** for valid use cases, and if they adhere to the Devvit rules. Please reference our AI providers and account linking policies for common invalid use cases.
2. **Limited scope cloud providers** (e.g., username.supabase.com, my-app.firebase.com) \- May be granted with exceptions. You must:
* Follow user privacy guidelines and data governance requirements
* Use an approved provider from the list below (please include your subdomain, and request for the most granular domain possible, e.g. my-app.s3.amazonaws.com)
* supabase.com
* firebase.com
* spacetimedb.com
* s3.amazonaws.com
* storage.googleapis.com
* Demonstrate a capability that @devvit/server doesn't support
* Valid use cases include relational databases
* Note: Approval can be revoked at any time
1. **APIs that provide data or specific services** (e.g., api.openai.com, api.wikipedia.org) \- These will be approved if they have a **publicly documented and publicly accessible API** for valid use cases, and if they adhere to the Devvit rules. Please reference our AI providers and account linking policies for common invalid use cases.
2. **Limited scope cloud providers** (e.g., username.supabase.com, my-app.firebase.com) \- May be granted with exceptions. You must:
- Follow user privacy guidelines and data governance requirements
- Use an approved provider from the list below (please include your subdomain, and request for the most granular domain possible, e.g. my-app.s3.amazonaws.com)
- supabase.com
- firebase.com
- spacetimedb.com
- s3.amazonaws.com
- storage.googleapis.com
- Demonstrate a capability that @devvit/server doesn't support
- Valid use cases include relational databases
- Note: Approval can be revoked at any time
3. **Personal domains** (e.g., personaldomain.com) \- Will not be approved. If you have a use case that our Devvit server does not support, please submit your request with detailed justification for a possible exception.

### AI providers

At this time, OpenAI and Google Gemini are the only allowed providers:

* api.openai.com
* generativelanguage.googleapis.com
- api.openai.com
- generativelanguage.googleapis.com

Requests to use any other AI provider will be denied.

### Documentation requirements

If your app uses fetch domains, you must add context to your app's README for the approval process:

1. Create a "Fetch Domains" section in your README
2. List each domain you're requesting and explain why you need it
1. Create a "Fetch Domains" section in your README
2. List each domain you're requesting and explain why you need it
3. Ensure your usage complies with our fetch guidelines

Example README section:
Expand All @@ -201,10 +205,10 @@ The following domains are requested for this app:

Domain entries must be exact hostnames only, such as nytimes.com or wikipedia.org. In addition:

* Be specific. No using \*.example.com when you need api.example.com
* No wildcards: \*.example.com
* No protocols: https://api.example.com
* No paths: api.example.com/webhooks
- Be specific. No using \*.example.com when you need api.example.com
- No wildcards: \*.example.com
- No protocols: https://api.example.com
- No paths: api.example.com/webhooks

Domains that are approved for your app are displayed in the Developer Settings section for your app at `https://developers.reddit.com/apps/{your-app-slug}/developer-settings`. These domains are allow-listed for **your app only** and not globally.

Expand Down
4 changes: 4 additions & 0 deletions versioned_docs/version-0.11/capabilities/http-fetch.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,10 @@ Your Devvit app can make network requests to access allow-listed external domain

### Requesting a domain to be allow-listed

:::note
If you're porting a Data API app as part of our [App Migration Programs](https://www.reddit.com/r/Devvit/comments/1sgwkm7/bring_your_data_api_apps_to_devvit_and_details/) you may be eligible for special fetch domain exceptions. Please list at the top of your Devvit app's README.md file which Data API app you are migrating (account username), and which domains you need access to. Our App Review team will provide exemptions for program participants.
:::

Apps may request a domain to be added to the allow-list by specifying `domains` in the `http` configuration.
This configuration is optional, and apps can still configure `http: true` as before.

Expand Down
76 changes: 42 additions & 34 deletions versioned_docs/version-0.12/capabilities/http-fetch.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,26 +23,30 @@ devvit.json

### Requesting a domain to be allow-listed

:::note
If you're porting a Data API app as part of our [App Migration Programs](https://www.reddit.com/r/Devvit/comments/1sgwkm7/bring_your_data_api_apps_to_devvit_and_details/) you may be eligible for special fetch domain exceptions. Please list at the top of your Devvit app's README.md file which Data API app you are migrating (account username), and which domains you need access to. Our App Review team will provide exemptions for program participants.
:::

Apps may request a domain to be added to the allow-list by specifying domains in the http configuration. This configuration is optional, and apps can still configure http: true as before.

Requested domains will be submitted for review when you playtest or upload your app. Admins may approve or deny domain requests.

Domain entries must be exact hostnames only, such as nytimes.com or wikipedia.org. These fetch requests are not allowed:

* Be specific. No using \*.example.com when you need api.example.com
* No wildcards: \*.example.com
* No protocols: https://api.example.com
* No paths: api.example.com/webhooks
- Be specific. No using \*.example.com when you need api.example.com
- No wildcards: \*.example.com
- No protocols: https://api.example.com
- No paths: api.example.com/webhooks

Domains that are approved for your app will be displayed in the Developer Settings section for your app at `https://developers.reddit.com/apps/{your-app-slug}/developer-settings`. These domains are allow-listed for **your app only** and not globally.

Apps must request each individual domain that it intends to fetch, even if the domain is already globally allowed. See the [global fetch allowlist](#global-fetch-allowlist) to view the list of globally allowed domains.

## Limitations

* Access is only allowed to https URIs.
* Supported HTTP methods: GET, POST, PUT, DELETE, OPTIONS and PATCH.
* HTTP timeout limit is 30 seconds.
- Access is only allowed to https URIs.
- Supported HTTP methods: GET, POST, PUT, DELETE, OPTIONS and PATCH.
- HTTP timeout limit is 30 seconds.

## Example usage

Expand Down Expand Up @@ -71,10 +75,10 @@ console.log('External API response:', data);

Client-side fetch has different restrictions:

* **Domain limitation**: Can only make requests to your own webview domain
* **Endpoint requirement**: All requests must target endpoints that start with /api
* **Authentication**: Handled automatically \- no need to manage auth tokens
* **No external domains**: Cannot make requests to external domains from client-side code
- **Domain limitation**: Can only make requests to your own webview domain
- **Endpoint requirement**: All requests must target endpoints that start with /api
- **Authentication**: Handled automatically \- no need to manage auth tokens
- **No external domains**: Cannot make requests to external domains from client-side code
client/index.ts

```
Expand All @@ -101,16 +105,16 @@ const handleFetchData = async () => {

## Troubleshooting

The following error means HTTP Fetch requests are hitting the internal timeout limits.
The following error means HTTP Fetch requests are hitting the internal timeout limits.

```
HTTP request to domain: <domain> timed out with error: context deadline exceeded.
```

To resolve this:

* Use a queue or kick off an async request in your back end. You can use [Scheduler](https://developers.reddit.com/docs/capabilities/server/scheduler) to monitor the result.
* Optimize the overall HTTP request latency if you have a self-hosted server.
- Use a queue or kick off an async request in your back end. You can use [Scheduler](https://developers.reddit.com/docs/capabilities/server/scheduler) to monitor the result.
- Optimize the overall HTTP request latency if you have a self-hosted server.

## Global fetch allowlist

Expand Down Expand Up @@ -154,35 +158,35 @@ These domains are globally allowed and can be fetched by any app.

Allow-listed domains fall into three categories:

1. **APIs that provide data or specific services** (e.g., api.openai.com, api.wikipedia.org) \- These will be approved if they have a **publicly documented and publicly accessible API** for valid use cases, and if they adhere to the Devvit rules. Please reference our AI providers and account linking policies for common invalid use cases.
2. **Limited scope cloud providers** (e.g., username.supabase.com, my-app.firebase.com) \- May be granted with exceptions. You must:
* Follow user privacy guidelines and data governance requirements
* Use an approved provider from the list below (please include your subdomain, and request for the most granular domain possible, e.g. my-app.s3.amazonaws.com)
* supabase.com
* firebase.com
* spacetimedb.com
* s3.amazonaws.com
* storage.googleapis.com
* Demonstrate a capability that @devvit/server doesn't support
* Valid use cases include relational databases
* Note: Approval can be revoked at any time
1. **APIs that provide data or specific services** (e.g., api.openai.com, api.wikipedia.org) \- These will be approved if they have a **publicly documented and publicly accessible API** for valid use cases, and if they adhere to the Devvit rules. Please reference our AI providers and account linking policies for common invalid use cases.
2. **Limited scope cloud providers** (e.g., username.supabase.com, my-app.firebase.com) \- May be granted with exceptions. You must:
- Follow user privacy guidelines and data governance requirements
- Use an approved provider from the list below (please include your subdomain, and request for the most granular domain possible, e.g. my-app.s3.amazonaws.com)
- supabase.com
- firebase.com
- spacetimedb.com
- s3.amazonaws.com
- storage.googleapis.com
- Demonstrate a capability that @devvit/server doesn't support
- Valid use cases include relational databases
- Note: Approval can be revoked at any time
3. **Personal domains** (e.g., personaldomain.com) \- Will not be approved. If you have a use case that our Devvit server does not support, please submit your request with detailed justification for a possible exception.

### AI providers

At this time, OpenAI and Google Gemini are the only allowed providers:

* api.openai.com
* generativelanguage.googleapis.com
- api.openai.com
- generativelanguage.googleapis.com

Requests to use any other AI provider will be denied.

### Documentation requirements

If your app uses fetch domains, you must add context to your app's README for the approval process:

1. Create a "Fetch Domains" section in your README
2. List each domain you're requesting and explain why you need it
1. Create a "Fetch Domains" section in your README
2. List each domain you're requesting and explain why you need it
3. Ensure your usage complies with our fetch guidelines

Example README section:
Expand All @@ -199,12 +203,16 @@ The following domains are requested for this app:

### Domain requirements

:::note
If you're porting a Data API app as part of our [App Migration Programs](https://www.reddit.com/r/Devvit/comments/1sgwkm7/bring_your_data_api_apps_to_devvit_and_details/) you may be eligible for special fetch domain exceptions. Please list at the top of your Devvit app's README.md file which Data API app you are migrating (account username), and which domains you need access to. Our App Review team will provide exemptions for program participants.
:::

Domain entries must be exact hostnames only, such as nytimes.com or wikipedia.org. In addition:

* Be specific. No using \*.example.com when you need api.example.com
* No wildcards: \*.example.com
* No protocols: https://api.example.com
* No paths: api.example.com/webhooks
- Be specific. No using \*.example.com when you need api.example.com
- No wildcards: \*.example.com
- No protocols: https://api.example.com
- No paths: api.example.com/webhooks

Domains that are approved for your app are displayed in the Developer Settings section for your app at `https://developers.reddit.com/apps/{your-app-slug}/developer-settings`. These domains are allow-listed for **your app only** and not globally.

Expand Down
Loading
Loading