Default allow list behavior
x‑error callback parameters. If an app protocol or URL specified in an x-callback parameter is not listed as “allowed”, the entire request fails and the ProntoForms app displays an error message.
The default allow list settings depend on when your team was created:
For teams created before February 23, 2021, the allow list defaults to all callbacks allowed.
For teams created after February 23, 2021, the allow list defaults to no callbacks allowed.
Note:In both cases, we recommend that you configure a custom App‑to‑App allow list.
You must have Admin user permissions with access to team-level settings.
Your ProntoForms Team must be on the Advanced or Enterprise tier.
You must know the registered URL scheme for the third-party app that you want to include in the allow list.
In the ProntoForms Web Portal, go to Username > Team Settings.
On the Security tab, in the App‑to‑App Allow List section, select the down arrow to change the settings. You can choose from the following options:
No callbacks allowed
Callbacks allowed to specific apps and URLs
All callbacks allowed (not recommended)
Warning:If you share data from forms in App‑to‑App callbacks, we recommend that you define an allow list. This limits the URLs and apps that can receive the data and guards against unintended sharing of information.
To define an allow list, select Callbacks allowed to specific apps and URLs, and then enter up to ten app protocols and URLs.Note: The following restrictions apply:
App protocols must have the format
app://and contain only alphanumeric, hyphen (-), or underscore characters. For example:
URLs must begin with
https://and contain a valid domain name. For example:
You can enter up to ten items.
To save and apply the settings, select Update.
Result: If you send a callback request that contains an app or URL that’s not on the allowed list, the ProntoForms app blocks the entire request.
Tip:Remind your mobile device users to Reconcile after you update the allow list.