Skip to main content

Configure a Custom App‑to‑App Allow List

  • Updated

Supported on the Advanced and Enterprise tiers:

Essentials
Advanced
Enterprise

Default allow list behavior

The App-to-App allow list only applies to callback requests that include the x‑success, x‑cancel, and x‑error callback parameters. If an app protocol or URL specified in an x-callback parameter is not listed as “allowed”, the entire request fails and the ProntoForms app displays an error message.

The default allow list settings depend on when your team was created:

  • For teams created before February 23, 2021, the allow list defaults to all callbacks allowed.

  • For teams created after February 23, 2021, the allow list defaults to no callbacks allowed.

Note:In both cases, we recommend that you configure a custom App‑to‑App allow list.

Prerequisites

  • You must have Admin user permissions with access to team-level settings.

  • Your ProntoForms Team must be on the Advanced or Enterprise tier.

  • You must know the registered URL scheme for the third-party app that you want to include in the allow list.

Steps to configure an App‑to‑App allow list

  1. In the ProntoForms Web Portal, go to Username > Team Settings.

    Web Portal showing the username list and the Team Settings option.

  2. On the Security tab, in the App‑to‑App Allow List section, select the down arrow to change the settings. You can choose from the following options:

    • No callbacks allowed

    • Callbacks allowed to specific apps and URLs

    • All callbacks allowed (not recommended)

    Warning:If you share data from forms in App‑to‑App callbacks, we recommend that you define an allow list. This limits the URLs and apps that can receive the data and guards against unintended sharing of information.

  3. To define an allow list, select Callbacks allowed to specific apps and URLs, and then enter up to ten app protocols and URLs.

    Note: The following restrictions apply:

    • App protocols must have the format app:// and contain only alphanumeric, hyphen (-), or underscore characters. For example:

      shortcuts://

    • URLs must begin with https:// and contain a valid domain name. For example:

      https://www.company.com/

    • You can enter up to ten items.

  4. To save and apply the settings, select Update.

    Result: If you send a callback request that contains an app or URL that’s not on the allowed list, the ProntoForms app blocks the entire request.

Tip:Remind your mobile device users to Reconcile after you update the allow list.

Related articles

Comments

0 comments

Please sign in to leave a comment.