You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/capabilities/http-fetch.md
+38-34Lines changed: 38 additions & 34 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -23,26 +23,30 @@ devvit.json
23
23
24
24
### Requesting a domain to be allow-listed
25
25
26
+
:::note
27
+
If you're porting a Data API app as part of our [App Migration Programs](https://www.reddit.com/r/Devvit/comments/1sgwkm7/bring_your_data_api_apps_to_devvit_and_details/) you may be eligible for special fetch domain exceptions. Please list at the top of your Devvit app's README.md file which Data API app you are migrating, and which domains you need access to. Our App Review team will provide exemptions for program participants
28
+
:::
29
+
26
30
Apps may request a domain to be added to the allow-list by specifying domains in the http configuration. This configuration is optional, and apps can still configure http: true as before.
27
31
28
32
Requested domains will be submitted for review when you playtest or upload your app. Admins may approve or deny domain requests.
29
33
30
34
Domain entries must be exact hostnames only, such as nytimes.com or wikipedia.org. These fetch requests are not allowed:
31
35
32
-
* Be specific. No using \*.example.com when you need api.example.com
33
-
* No wildcards: \*.example.com
34
-
* No protocols: https://api.example.com
35
-
* No paths: api.example.com/webhooks
36
+
- Be specific. No using \*.example.com when you need api.example.com
37
+
- No wildcards: \*.example.com
38
+
- No protocols: https://api.example.com
39
+
- No paths: api.example.com/webhooks
36
40
37
41
Domains that are approved for your app will be displayed in the Developer Settings section for your app at `https://developers.reddit.com/apps/{your-app-slug}/developer-settings`. These domains are allow-listed for **your app only** and not globally.
38
42
39
43
Apps must request each individual domain that it intends to fetch, even if the domain is already globally allowed. See the [global fetch allowlist](#global-fetch-allowlist) to view the list of globally allowed domains.
40
44
41
45
## Limitations
42
46
43
-
* Access is only allowed to https URIs.
44
-
* Supported HTTP methods: GET, POST, PUT, DELETE, OPTIONS and PATCH.
45
-
* HTTP timeout limit is 30 seconds.
47
+
- Access is only allowed to https URIs.
48
+
- Supported HTTP methods: GET, POST, PUT, DELETE, OPTIONS and PATCH.
49
+
- HTTP timeout limit is 30 seconds.
46
50
47
51
## Example usage
48
52
@@ -71,10 +75,10 @@ console.log('External API response:', data);
71
75
72
76
Client-side fetch has different restrictions:
73
77
74
-
***Domain limitation**: Can only make requests to your own webview domain
75
-
***Endpoint requirement**: All requests must target endpoints that start with /api
76
-
***Authentication**: Handled automatically \- no need to manage auth tokens
77
-
***No external domains**: Cannot make requests to external domains from client-side code
78
+
-**Domain limitation**: Can only make requests to your own webview domain
79
+
-**Endpoint requirement**: All requests must target endpoints that start with /api
80
+
-**Authentication**: Handled automatically \- no need to manage auth tokens
81
+
-**No external domains**: Cannot make requests to external domains from client-side code
The following error means HTTP Fetch requests are hitting the internal timeout limits.
108
+
The following error means HTTP Fetch requests are hitting the internal timeout limits.
105
109
106
110
```
107
111
HTTP request to domain: <domain> timed out with error: context deadline exceeded.
108
112
```
109
113
110
114
To resolve this:
111
115
112
-
* Use a queue or kick off an async request in your back end. You can use [Scheduler](https://developers.reddit.com/docs/capabilities/server/scheduler) to monitor the result.
113
-
* Optimize the overall HTTP request latency if you have a self-hosted server.
116
+
- Use a queue or kick off an async request in your back end. You can use [Scheduler](https://developers.reddit.com/docs/capabilities/server/scheduler) to monitor the result.
117
+
- Optimize the overall HTTP request latency if you have a self-hosted server.
114
118
115
119
## Global fetch allowlist
116
120
@@ -154,35 +158,35 @@ These domains are globally allowed and can be fetched by any app.
154
158
155
159
Allow-listed domains fall into three categories:
156
160
157
-
1.**APIs that provide data or specific services** (e.g., api.openai.com, api.wikipedia.org) \- These will be approved if they have a **publicly documented and publicly accessible API** for valid use cases, and if they adhere to the Devvit rules. Please reference our AI providers and account linking policies for common invalid use cases.
158
-
2.**Limited scope cloud providers** (e.g., username.supabase.com, my-app.firebase.com) \- May be granted with exceptions. You must:
159
-
* Follow user privacy guidelines and data governance requirements
160
-
* Use an approved provider from the list below (please include your subdomain, and request for the most granular domain possible, e.g. my-app.s3.amazonaws.com)
161
-
* supabase.com
162
-
* firebase.com
163
-
* spacetimedb.com
164
-
* s3.amazonaws.com
165
-
* storage.googleapis.com
166
-
* Demonstrate a capability that @devvit/server doesn't support
167
-
* Valid use cases include relational databases
168
-
* Note: Approval can be revoked at any time
161
+
1.**APIs that provide data or specific services** (e.g., api.openai.com, api.wikipedia.org) \- These will be approved if they have a **publicly documented and publicly accessible API** for valid use cases, and if they adhere to the Devvit rules. Please reference our AI providers and account linking policies for common invalid use cases.
162
+
2.**Limited scope cloud providers** (e.g., username.supabase.com, my-app.firebase.com) \- May be granted with exceptions. You must:
163
+
- Follow user privacy guidelines and data governance requirements
164
+
- Use an approved provider from the list below (please include your subdomain, and request for the most granular domain possible, e.g. my-app.s3.amazonaws.com)
165
+
- supabase.com
166
+
- firebase.com
167
+
- spacetimedb.com
168
+
- s3.amazonaws.com
169
+
- storage.googleapis.com
170
+
- Demonstrate a capability that @devvit/server doesn't support
171
+
- Valid use cases include relational databases
172
+
- Note: Approval can be revoked at any time
169
173
3.**Personal domains** (e.g., personaldomain.com) \- Will not be approved. If you have a use case that our Devvit server does not support, please submit your request with detailed justification for a possible exception.
170
174
171
175
### AI providers
172
176
173
177
At this time, OpenAI and Google Gemini are the only allowed providers:
174
178
175
-
* api.openai.com
176
-
* generativelanguage.googleapis.com
179
+
- api.openai.com
180
+
- generativelanguage.googleapis.com
177
181
178
182
Requests to use any other AI provider will be denied.
179
183
180
184
### Documentation requirements
181
185
182
186
If your app uses fetch domains, you must add context to your app's README for the approval process:
183
187
184
-
1. Create a "Fetch Domains" section in your README
185
-
2. List each domain you're requesting and explain why you need it
188
+
1. Create a "Fetch Domains" section in your README
189
+
2. List each domain you're requesting and explain why you need it
186
190
3. Ensure your usage complies with our fetch guidelines
187
191
188
192
Example README section:
@@ -201,10 +205,10 @@ The following domains are requested for this app:
201
205
202
206
Domain entries must be exact hostnames only, such as nytimes.com or wikipedia.org. In addition:
203
207
204
-
* Be specific. No using \*.example.com when you need api.example.com
205
-
* No wildcards: \*.example.com
206
-
* No protocols: https://api.example.com
207
-
* No paths: api.example.com/webhooks
208
+
- Be specific. No using \*.example.com when you need api.example.com
209
+
- No wildcards: \*.example.com
210
+
- No protocols: https://api.example.com
211
+
- No paths: api.example.com/webhooks
208
212
209
213
Domains that are approved for your app are displayed in the Developer Settings section for your app at `https://developers.reddit.com/apps/{your-app-slug}/developer-settings`. These domains are allow-listed for **your app only** and not globally.
Copy file name to clipboardExpand all lines: versioned_docs/version-0.11/capabilities/http-fetch.mdx
+4Lines changed: 4 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -37,6 +37,10 @@ Your Devvit app can make network requests to access allow-listed external domain
37
37
38
38
### Requesting a domain to be allow-listed
39
39
40
+
:::note
41
+
If you're porting a Data API app as part of our [App Migration Programs](https://www.reddit.com/r/Devvit/comments/1sgwkm7/bring_your_data_api_apps_to_devvit_and_details/) you may be eligible for special fetch domain exceptions. Please list at the top of your Devvit app's README.md file which Data API app you are migrating (account username), and which domains you need access to. Our App Review team will provide exemptions for program participants.
42
+
:::
43
+
40
44
Apps may request a domain to be added to the allow-list by specifying `domains` in the `http` configuration.
41
45
This configuration is optional, and apps can still configure `http: true` as before.
Copy file name to clipboardExpand all lines: versioned_docs/version-0.12/capabilities/http-fetch.md
+42-34Lines changed: 42 additions & 34 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -23,26 +23,30 @@ devvit.json
23
23
24
24
### Requesting a domain to be allow-listed
25
25
26
+
:::note
27
+
If you're porting a Data API app as part of our [App Migration Programs](https://www.reddit.com/r/Devvit/comments/1sgwkm7/bring_your_data_api_apps_to_devvit_and_details/) you may be eligible for special fetch domain exceptions. Please list at the top of your Devvit app's README.md file which Data API app you are migrating (account username), and which domains you need access to. Our App Review team will provide exemptions for program participants.
28
+
:::
29
+
26
30
Apps may request a domain to be added to the allow-list by specifying domains in the http configuration. This configuration is optional, and apps can still configure http: true as before.
27
31
28
32
Requested domains will be submitted for review when you playtest or upload your app. Admins may approve or deny domain requests.
29
33
30
34
Domain entries must be exact hostnames only, such as nytimes.com or wikipedia.org. These fetch requests are not allowed:
31
35
32
-
* Be specific. No using \*.example.com when you need api.example.com
33
-
* No wildcards: \*.example.com
34
-
* No protocols: https://api.example.com
35
-
* No paths: api.example.com/webhooks
36
+
- Be specific. No using \*.example.com when you need api.example.com
37
+
- No wildcards: \*.example.com
38
+
- No protocols: https://api.example.com
39
+
- No paths: api.example.com/webhooks
36
40
37
41
Domains that are approved for your app will be displayed in the Developer Settings section for your app at `https://developers.reddit.com/apps/{your-app-slug}/developer-settings`. These domains are allow-listed for **your app only** and not globally.
38
42
39
43
Apps must request each individual domain that it intends to fetch, even if the domain is already globally allowed. See the [global fetch allowlist](#global-fetch-allowlist) to view the list of globally allowed domains.
40
44
41
45
## Limitations
42
46
43
-
* Access is only allowed to https URIs.
44
-
* Supported HTTP methods: GET, POST, PUT, DELETE, OPTIONS and PATCH.
45
-
* HTTP timeout limit is 30 seconds.
47
+
- Access is only allowed to https URIs.
48
+
- Supported HTTP methods: GET, POST, PUT, DELETE, OPTIONS and PATCH.
49
+
- HTTP timeout limit is 30 seconds.
46
50
47
51
## Example usage
48
52
@@ -71,10 +75,10 @@ console.log('External API response:', data);
71
75
72
76
Client-side fetch has different restrictions:
73
77
74
-
***Domain limitation**: Can only make requests to your own webview domain
75
-
***Endpoint requirement**: All requests must target endpoints that start with /api
76
-
***Authentication**: Handled automatically \- no need to manage auth tokens
77
-
***No external domains**: Cannot make requests to external domains from client-side code
78
+
-**Domain limitation**: Can only make requests to your own webview domain
79
+
-**Endpoint requirement**: All requests must target endpoints that start with /api
80
+
-**Authentication**: Handled automatically \- no need to manage auth tokens
81
+
-**No external domains**: Cannot make requests to external domains from client-side code
The following error means HTTP Fetch requests are hitting the internal timeout limits.
108
+
The following error means HTTP Fetch requests are hitting the internal timeout limits.
105
109
106
110
```
107
111
HTTP request to domain: <domain> timed out with error: context deadline exceeded.
108
112
```
109
113
110
114
To resolve this:
111
115
112
-
* Use a queue or kick off an async request in your back end. You can use [Scheduler](https://developers.reddit.com/docs/capabilities/server/scheduler) to monitor the result.
113
-
* Optimize the overall HTTP request latency if you have a self-hosted server.
116
+
- Use a queue or kick off an async request in your back end. You can use [Scheduler](https://developers.reddit.com/docs/capabilities/server/scheduler) to monitor the result.
117
+
- Optimize the overall HTTP request latency if you have a self-hosted server.
114
118
115
119
## Global fetch allowlist
116
120
@@ -154,35 +158,35 @@ These domains are globally allowed and can be fetched by any app.
154
158
155
159
Allow-listed domains fall into three categories:
156
160
157
-
1.**APIs that provide data or specific services** (e.g., api.openai.com, api.wikipedia.org) \- These will be approved if they have a **publicly documented and publicly accessible API** for valid use cases, and if they adhere to the Devvit rules. Please reference our AI providers and account linking policies for common invalid use cases.
158
-
2.**Limited scope cloud providers** (e.g., username.supabase.com, my-app.firebase.com) \- May be granted with exceptions. You must:
159
-
* Follow user privacy guidelines and data governance requirements
160
-
* Use an approved provider from the list below (please include your subdomain, and request for the most granular domain possible, e.g. my-app.s3.amazonaws.com)
161
-
* supabase.com
162
-
* firebase.com
163
-
* spacetimedb.com
164
-
* s3.amazonaws.com
165
-
* storage.googleapis.com
166
-
* Demonstrate a capability that @devvit/server doesn't support
167
-
* Valid use cases include relational databases
168
-
* Note: Approval can be revoked at any time
161
+
1.**APIs that provide data or specific services** (e.g., api.openai.com, api.wikipedia.org) \- These will be approved if they have a **publicly documented and publicly accessible API** for valid use cases, and if they adhere to the Devvit rules. Please reference our AI providers and account linking policies for common invalid use cases.
162
+
2.**Limited scope cloud providers** (e.g., username.supabase.com, my-app.firebase.com) \- May be granted with exceptions. You must:
163
+
- Follow user privacy guidelines and data governance requirements
164
+
- Use an approved provider from the list below (please include your subdomain, and request for the most granular domain possible, e.g. my-app.s3.amazonaws.com)
165
+
- supabase.com
166
+
- firebase.com
167
+
- spacetimedb.com
168
+
- s3.amazonaws.com
169
+
- storage.googleapis.com
170
+
- Demonstrate a capability that @devvit/server doesn't support
171
+
- Valid use cases include relational databases
172
+
- Note: Approval can be revoked at any time
169
173
3.**Personal domains** (e.g., personaldomain.com) \- Will not be approved. If you have a use case that our Devvit server does not support, please submit your request with detailed justification for a possible exception.
170
174
171
175
### AI providers
172
176
173
177
At this time, OpenAI and Google Gemini are the only allowed providers:
174
178
175
-
* api.openai.com
176
-
* generativelanguage.googleapis.com
179
+
- api.openai.com
180
+
- generativelanguage.googleapis.com
177
181
178
182
Requests to use any other AI provider will be denied.
179
183
180
184
### Documentation requirements
181
185
182
186
If your app uses fetch domains, you must add context to your app's README for the approval process:
183
187
184
-
1. Create a "Fetch Domains" section in your README
185
-
2. List each domain you're requesting and explain why you need it
188
+
1. Create a "Fetch Domains" section in your README
189
+
2. List each domain you're requesting and explain why you need it
186
190
3. Ensure your usage complies with our fetch guidelines
187
191
188
192
Example README section:
@@ -199,12 +203,16 @@ The following domains are requested for this app:
199
203
200
204
### Domain requirements
201
205
206
+
:::note
207
+
If you're porting a Data API app as part of our [App Migration Programs](https://www.reddit.com/r/Devvit/comments/1sgwkm7/bring_your_data_api_apps_to_devvit_and_details/) you may be eligible for special fetch domain exceptions. Please list at the top of your Devvit app's README.md file which Data API app you are migrating (account username), and which domains you need access to. Our App Review team will provide exemptions for program participants.
208
+
:::
209
+
202
210
Domain entries must be exact hostnames only, such as nytimes.com or wikipedia.org. In addition:
203
211
204
-
* Be specific. No using \*.example.com when you need api.example.com
205
-
* No wildcards: \*.example.com
206
-
* No protocols: https://api.example.com
207
-
* No paths: api.example.com/webhooks
212
+
- Be specific. No using \*.example.com when you need api.example.com
213
+
- No wildcards: \*.example.com
214
+
- No protocols: https://api.example.com
215
+
- No paths: api.example.com/webhooks
208
216
209
217
Domains that are approved for your app are displayed in the Developer Settings section for your app at `https://developers.reddit.com/apps/{your-app-slug}/developer-settings`. These domains are allow-listed for **your app only** and not globally.
0 commit comments