Skip to content

Commit cc67459

Browse files
Added note about app migration domains (#131)
Added note about fetch domains for app migration participants
1 parent 49703f4 commit cc67459

4 files changed

Lines changed: 126 additions & 102 deletions

File tree

docs/capabilities/http-fetch.md

Lines changed: 38 additions & 34 deletions
Original file line numberDiff line numberDiff line change
@@ -23,26 +23,30 @@ devvit.json
2323

2424
### Requesting a domain to be allow-listed
2525

26+
:::note
27+
If you're porting a Data API app as part of our [App Migration Programs](https://www.reddit.com/r/Devvit/comments/1sgwkm7/bring_your_data_api_apps_to_devvit_and_details/) you may be eligible for special fetch domain exceptions. Please list at the top of your Devvit app's README.md file which Data API app you are migrating, and which domains you need access to. Our App Review team will provide exemptions for program participants
28+
:::
29+
2630
Apps may request a domain to be added to the allow-list by specifying domains in the http configuration. This configuration is optional, and apps can still configure http: true as before.
2731

2832
Requested domains will be submitted for review when you playtest or upload your app. Admins may approve or deny domain requests.
2933

3034
Domain entries must be exact hostnames only, such as nytimes.com or wikipedia.org. These fetch requests are not allowed:
3135

32-
* Be specific. No using \*.example.com when you need api.example.com
33-
* No wildcards: \*.example.com
34-
* No protocols: https://api.example.com
35-
* No paths: api.example.com/webhooks
36+
- Be specific. No using \*.example.com when you need api.example.com
37+
- No wildcards: \*.example.com
38+
- No protocols: https://api.example.com
39+
- No paths: api.example.com/webhooks
3640

3741
Domains that are approved for your app will be displayed in the Developer Settings section for your app at `https://developers.reddit.com/apps/{your-app-slug}/developer-settings`. These domains are allow-listed for **your app only** and not globally.
3842

3943
Apps must request each individual domain that it intends to fetch, even if the domain is already globally allowed. See the [global fetch allowlist](#global-fetch-allowlist) to view the list of globally allowed domains.
4044

4145
## Limitations
4246

43-
* Access is only allowed to https URIs.
44-
* Supported HTTP methods: GET, POST, PUT, DELETE, OPTIONS and PATCH.
45-
* HTTP timeout limit is 30 seconds.
47+
- Access is only allowed to https URIs.
48+
- Supported HTTP methods: GET, POST, PUT, DELETE, OPTIONS and PATCH.
49+
- HTTP timeout limit is 30 seconds.
4650

4751
## Example usage
4852

@@ -71,10 +75,10 @@ console.log('External API response:', data);
7175

7276
Client-side fetch has different restrictions:
7377

74-
* **Domain limitation**: Can only make requests to your own webview domain
75-
* **Endpoint requirement**: All requests must target endpoints that start with /api
76-
* **Authentication**: Handled automatically \- no need to manage auth tokens
77-
* **No external domains**: Cannot make requests to external domains from client-side code
78+
- **Domain limitation**: Can only make requests to your own webview domain
79+
- **Endpoint requirement**: All requests must target endpoints that start with /api
80+
- **Authentication**: Handled automatically \- no need to manage auth tokens
81+
- **No external domains**: Cannot make requests to external domains from client-side code
7882
client/index.ts
7983

8084
```
@@ -101,16 +105,16 @@ const handleFetchData = async () => {
101105

102106
## Troubleshooting
103107

104-
The following error means HTTP Fetch requests are hitting the internal timeout limits.
108+
The following error means HTTP Fetch requests are hitting the internal timeout limits.
105109

106110
```
107111
HTTP request to domain: <domain> timed out with error: context deadline exceeded.
108112
```
109113

110114
To resolve this:
111115

112-
* Use a queue or kick off an async request in your back end. You can use [Scheduler](https://developers.reddit.com/docs/capabilities/server/scheduler) to monitor the result.
113-
* Optimize the overall HTTP request latency if you have a self-hosted server.
116+
- Use a queue or kick off an async request in your back end. You can use [Scheduler](https://developers.reddit.com/docs/capabilities/server/scheduler) to monitor the result.
117+
- Optimize the overall HTTP request latency if you have a self-hosted server.
114118

115119
## Global fetch allowlist
116120

@@ -154,35 +158,35 @@ These domains are globally allowed and can be fetched by any app.
154158

155159
Allow-listed domains fall into three categories:
156160

157-
1. **APIs that provide data or specific services** (e.g., api.openai.com, api.wikipedia.org) \- These will be approved if they have a **publicly documented and publicly accessible API** for valid use cases, and if they adhere to the Devvit rules. Please reference our AI providers and account linking policies for common invalid use cases.
158-
2. **Limited scope cloud providers** (e.g., username.supabase.com, my-app.firebase.com) \- May be granted with exceptions. You must:
159-
* Follow user privacy guidelines and data governance requirements
160-
* Use an approved provider from the list below (please include your subdomain, and request for the most granular domain possible, e.g. my-app.s3.amazonaws.com)
161-
* supabase.com
162-
* firebase.com
163-
* spacetimedb.com
164-
* s3.amazonaws.com
165-
* storage.googleapis.com
166-
* Demonstrate a capability that @devvit/server doesn't support
167-
* Valid use cases include relational databases
168-
* Note: Approval can be revoked at any time
161+
1. **APIs that provide data or specific services** (e.g., api.openai.com, api.wikipedia.org) \- These will be approved if they have a **publicly documented and publicly accessible API** for valid use cases, and if they adhere to the Devvit rules. Please reference our AI providers and account linking policies for common invalid use cases.
162+
2. **Limited scope cloud providers** (e.g., username.supabase.com, my-app.firebase.com) \- May be granted with exceptions. You must:
163+
- Follow user privacy guidelines and data governance requirements
164+
- Use an approved provider from the list below (please include your subdomain, and request for the most granular domain possible, e.g. my-app.s3.amazonaws.com)
165+
- supabase.com
166+
- firebase.com
167+
- spacetimedb.com
168+
- s3.amazonaws.com
169+
- storage.googleapis.com
170+
- Demonstrate a capability that @devvit/server doesn't support
171+
- Valid use cases include relational databases
172+
- Note: Approval can be revoked at any time
169173
3. **Personal domains** (e.g., personaldomain.com) \- Will not be approved. If you have a use case that our Devvit server does not support, please submit your request with detailed justification for a possible exception.
170174

171175
### AI providers
172176

173177
At this time, OpenAI and Google Gemini are the only allowed providers:
174178

175-
* api.openai.com
176-
* generativelanguage.googleapis.com
179+
- api.openai.com
180+
- generativelanguage.googleapis.com
177181

178182
Requests to use any other AI provider will be denied.
179183

180184
### Documentation requirements
181185

182186
If your app uses fetch domains, you must add context to your app's README for the approval process:
183187

184-
1. Create a "Fetch Domains" section in your README
185-
2. List each domain you're requesting and explain why you need it
188+
1. Create a "Fetch Domains" section in your README
189+
2. List each domain you're requesting and explain why you need it
186190
3. Ensure your usage complies with our fetch guidelines
187191

188192
Example README section:
@@ -201,10 +205,10 @@ The following domains are requested for this app:
201205

202206
Domain entries must be exact hostnames only, such as nytimes.com or wikipedia.org. In addition:
203207

204-
* Be specific. No using \*.example.com when you need api.example.com
205-
* No wildcards: \*.example.com
206-
* No protocols: https://api.example.com
207-
* No paths: api.example.com/webhooks
208+
- Be specific. No using \*.example.com when you need api.example.com
209+
- No wildcards: \*.example.com
210+
- No protocols: https://api.example.com
211+
- No paths: api.example.com/webhooks
208212

209213
Domains that are approved for your app are displayed in the Developer Settings section for your app at `https://developers.reddit.com/apps/{your-app-slug}/developer-settings`. These domains are allow-listed for **your app only** and not globally.
210214

versioned_docs/version-0.11/capabilities/http-fetch.mdx

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -37,6 +37,10 @@ Your Devvit app can make network requests to access allow-listed external domain
3737

3838
### Requesting a domain to be allow-listed
3939

40+
:::note
41+
If you're porting a Data API app as part of our [App Migration Programs](https://www.reddit.com/r/Devvit/comments/1sgwkm7/bring_your_data_api_apps_to_devvit_and_details/) you may be eligible for special fetch domain exceptions. Please list at the top of your Devvit app's README.md file which Data API app you are migrating (account username), and which domains you need access to. Our App Review team will provide exemptions for program participants.
42+
:::
43+
4044
Apps may request a domain to be added to the allow-list by specifying `domains` in the `http` configuration.
4145
This configuration is optional, and apps can still configure `http: true` as before.
4246

versioned_docs/version-0.12/capabilities/http-fetch.md

Lines changed: 42 additions & 34 deletions
Original file line numberDiff line numberDiff line change
@@ -23,26 +23,30 @@ devvit.json
2323

2424
### Requesting a domain to be allow-listed
2525

26+
:::note
27+
If you're porting a Data API app as part of our [App Migration Programs](https://www.reddit.com/r/Devvit/comments/1sgwkm7/bring_your_data_api_apps_to_devvit_and_details/) you may be eligible for special fetch domain exceptions. Please list at the top of your Devvit app's README.md file which Data API app you are migrating (account username), and which domains you need access to. Our App Review team will provide exemptions for program participants.
28+
:::
29+
2630
Apps may request a domain to be added to the allow-list by specifying domains in the http configuration. This configuration is optional, and apps can still configure http: true as before.
2731

2832
Requested domains will be submitted for review when you playtest or upload your app. Admins may approve or deny domain requests.
2933

3034
Domain entries must be exact hostnames only, such as nytimes.com or wikipedia.org. These fetch requests are not allowed:
3135

32-
* Be specific. No using \*.example.com when you need api.example.com
33-
* No wildcards: \*.example.com
34-
* No protocols: https://api.example.com
35-
* No paths: api.example.com/webhooks
36+
- Be specific. No using \*.example.com when you need api.example.com
37+
- No wildcards: \*.example.com
38+
- No protocols: https://api.example.com
39+
- No paths: api.example.com/webhooks
3640

3741
Domains that are approved for your app will be displayed in the Developer Settings section for your app at `https://developers.reddit.com/apps/{your-app-slug}/developer-settings`. These domains are allow-listed for **your app only** and not globally.
3842

3943
Apps must request each individual domain that it intends to fetch, even if the domain is already globally allowed. See the [global fetch allowlist](#global-fetch-allowlist) to view the list of globally allowed domains.
4044

4145
## Limitations
4246

43-
* Access is only allowed to https URIs.
44-
* Supported HTTP methods: GET, POST, PUT, DELETE, OPTIONS and PATCH.
45-
* HTTP timeout limit is 30 seconds.
47+
- Access is only allowed to https URIs.
48+
- Supported HTTP methods: GET, POST, PUT, DELETE, OPTIONS and PATCH.
49+
- HTTP timeout limit is 30 seconds.
4650

4751
## Example usage
4852

@@ -71,10 +75,10 @@ console.log('External API response:', data);
7175

7276
Client-side fetch has different restrictions:
7377

74-
* **Domain limitation**: Can only make requests to your own webview domain
75-
* **Endpoint requirement**: All requests must target endpoints that start with /api
76-
* **Authentication**: Handled automatically \- no need to manage auth tokens
77-
* **No external domains**: Cannot make requests to external domains from client-side code
78+
- **Domain limitation**: Can only make requests to your own webview domain
79+
- **Endpoint requirement**: All requests must target endpoints that start with /api
80+
- **Authentication**: Handled automatically \- no need to manage auth tokens
81+
- **No external domains**: Cannot make requests to external domains from client-side code
7882
client/index.ts
7983

8084
```
@@ -101,16 +105,16 @@ const handleFetchData = async () => {
101105

102106
## Troubleshooting
103107

104-
The following error means HTTP Fetch requests are hitting the internal timeout limits.
108+
The following error means HTTP Fetch requests are hitting the internal timeout limits.
105109

106110
```
107111
HTTP request to domain: <domain> timed out with error: context deadline exceeded.
108112
```
109113

110114
To resolve this:
111115

112-
* Use a queue or kick off an async request in your back end. You can use [Scheduler](https://developers.reddit.com/docs/capabilities/server/scheduler) to monitor the result.
113-
* Optimize the overall HTTP request latency if you have a self-hosted server.
116+
- Use a queue or kick off an async request in your back end. You can use [Scheduler](https://developers.reddit.com/docs/capabilities/server/scheduler) to monitor the result.
117+
- Optimize the overall HTTP request latency if you have a self-hosted server.
114118

115119
## Global fetch allowlist
116120

@@ -154,35 +158,35 @@ These domains are globally allowed and can be fetched by any app.
154158

155159
Allow-listed domains fall into three categories:
156160

157-
1. **APIs that provide data or specific services** (e.g., api.openai.com, api.wikipedia.org) \- These will be approved if they have a **publicly documented and publicly accessible API** for valid use cases, and if they adhere to the Devvit rules. Please reference our AI providers and account linking policies for common invalid use cases.
158-
2. **Limited scope cloud providers** (e.g., username.supabase.com, my-app.firebase.com) \- May be granted with exceptions. You must:
159-
* Follow user privacy guidelines and data governance requirements
160-
* Use an approved provider from the list below (please include your subdomain, and request for the most granular domain possible, e.g. my-app.s3.amazonaws.com)
161-
* supabase.com
162-
* firebase.com
163-
* spacetimedb.com
164-
* s3.amazonaws.com
165-
* storage.googleapis.com
166-
* Demonstrate a capability that @devvit/server doesn't support
167-
* Valid use cases include relational databases
168-
* Note: Approval can be revoked at any time
161+
1. **APIs that provide data or specific services** (e.g., api.openai.com, api.wikipedia.org) \- These will be approved if they have a **publicly documented and publicly accessible API** for valid use cases, and if they adhere to the Devvit rules. Please reference our AI providers and account linking policies for common invalid use cases.
162+
2. **Limited scope cloud providers** (e.g., username.supabase.com, my-app.firebase.com) \- May be granted with exceptions. You must:
163+
- Follow user privacy guidelines and data governance requirements
164+
- Use an approved provider from the list below (please include your subdomain, and request for the most granular domain possible, e.g. my-app.s3.amazonaws.com)
165+
- supabase.com
166+
- firebase.com
167+
- spacetimedb.com
168+
- s3.amazonaws.com
169+
- storage.googleapis.com
170+
- Demonstrate a capability that @devvit/server doesn't support
171+
- Valid use cases include relational databases
172+
- Note: Approval can be revoked at any time
169173
3. **Personal domains** (e.g., personaldomain.com) \- Will not be approved. If you have a use case that our Devvit server does not support, please submit your request with detailed justification for a possible exception.
170174

171175
### AI providers
172176

173177
At this time, OpenAI and Google Gemini are the only allowed providers:
174178

175-
* api.openai.com
176-
* generativelanguage.googleapis.com
179+
- api.openai.com
180+
- generativelanguage.googleapis.com
177181

178182
Requests to use any other AI provider will be denied.
179183

180184
### Documentation requirements
181185

182186
If your app uses fetch domains, you must add context to your app's README for the approval process:
183187

184-
1. Create a "Fetch Domains" section in your README
185-
2. List each domain you're requesting and explain why you need it
188+
1. Create a "Fetch Domains" section in your README
189+
2. List each domain you're requesting and explain why you need it
186190
3. Ensure your usage complies with our fetch guidelines
187191

188192
Example README section:
@@ -199,12 +203,16 @@ The following domains are requested for this app:
199203

200204
### Domain requirements
201205

206+
:::note
207+
If you're porting a Data API app as part of our [App Migration Programs](https://www.reddit.com/r/Devvit/comments/1sgwkm7/bring_your_data_api_apps_to_devvit_and_details/) you may be eligible for special fetch domain exceptions. Please list at the top of your Devvit app's README.md file which Data API app you are migrating (account username), and which domains you need access to. Our App Review team will provide exemptions for program participants.
208+
:::
209+
202210
Domain entries must be exact hostnames only, such as nytimes.com or wikipedia.org. In addition:
203211

204-
* Be specific. No using \*.example.com when you need api.example.com
205-
* No wildcards: \*.example.com
206-
* No protocols: https://api.example.com
207-
* No paths: api.example.com/webhooks
212+
- Be specific. No using \*.example.com when you need api.example.com
213+
- No wildcards: \*.example.com
214+
- No protocols: https://api.example.com
215+
- No paths: api.example.com/webhooks
208216

209217
Domains that are approved for your app are displayed in the Developer Settings section for your app at `https://developers.reddit.com/apps/{your-app-slug}/developer-settings`. These domains are allow-listed for **your app only** and not globally.
210218

0 commit comments

Comments
 (0)