This topic provides step-by-step instructions to configure an App‑to‑App allow list at the team level. The allow list configuration determines the apps and URLs that can receive data from the ProntoForms app in a callback.
Default allow list behavior
The App-to-App allow list An App‑to‑App allow list is a list of URLs and third-party applications that can receive data from ProntoForms in a callback. only applies to callback requests that include the
x-error callback parameters. If an app protocol or URL specified in an x-callback parameter is not listed as “allowed”, the entire request fails and the ProntoForms app displays an error message.
The default allow list settings depend on when your team was created:
For teams created before February 23, 2021, the allow list defaults to all callbacks allowed.
For teams created after February 23, 2021, the allow list defaults to no callbacks allowed.
Note:In both cases, we recommend that you configure a custom App‑to‑App allow list.
You must have Admin user permissions with access to team-level settings.
Your ProntoForms Team must be on the Advanced or Enterprise tier.
You must know the registered URL scheme for the third-party app that you want to include in the allow list.
In the ProntoForms Web Portal The ProntoForms Web Portal is a web application used to manage security settings, forms, FormSpaces, other users, Data Sources, and Data Destinations., go to Username > Team Settings.
On the Security tab, in the App‑to‑App Allow List section, select the down arrow to change the settings. You can choose from the following options:
No callbacks allowed
Callbacks allowed to specific apps and URLs
All callbacks allowed (not recommended)
Warning:If you share data from forms in App‑to‑App callbacks, we recommend that you define an allow list. This limits the URLs and apps that can receive the data and guards against unintended sharing of information.
To define an allow list, select Callbacks allowed to specific apps and URLs, and then enter up to ten app protocols and URLs.Note: The following restrictions apply:
App protocols must have the format
app://and contain only alphanumeric, hyphen (-), or underscore characters. For example:
URLs must begin with
https://and contain a valid domain name. For example:
You can enter up to ten items.
To save and apply the settings, select Update.
Result: If you send a callback request that contains an app or URL that’s not on the allowed list, the ProntoForms app blocks the entire request.
Tip:Remind your mobile device users to Reconcile The term "reconcile" refers to a send/receive action between the mobile app and the ProntoForms server. This synchronizes new form versions, data sources, and dispatches from the Web Portal to the mobile app to ensure that mobile users are working with up-to-date resources. This also synchronizes new form submissions from the mobile app to the Web Portal to ensure that work completed by a mobile user gets properly submitted and sent through data destinations. A reconcile can be manually or automatically initiated and requires network connectivity. after you update the allow list.