[BUG] Allow network egress - All domains' setting not reflected in session proxy JWT
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
Summary
When Allow network egress is enabled with Domain allowlist set to All
domains, the egress proxy still enforces a restrictive hardcoded allowlist of
specific domains rather than permitting all outbound traffic.
Actual Behavior
The egress proxy returns 403 Forbidden with x-deny-reason: host_not_allowed.
Inspecting the proxy's https_proxy JWT (visible in curl -v output) reveals
the token contains an explicit allowed_hosts field listing specific well-known
package registries and development services — not a wildcard. The "All domains"
setting is not reflected in the issued JWT.
Additional Context
- The setting has been configured for multiple weeks, ruling out a propagation delay
- Starting a new session does not resolve the issue — the JWT is still minted
with the restrictive allowlist
- The JWT has
iat/expfields confirming it is issued at session start,
suggesting session initialization does not correctly read the current allowlist policy
Impact
Users with legitimate use cases requiring access to private/self-hosted
infrastructure (e.g., internal services, private registries, on-prem tooling)
are blocked even after explicitly configuring unrestricted egress access.
What Should Happen?
All outbound domains should be accessible, as indicated by the UI message:
"Claude can access all domains on the internet."
Error Messages/Logs
$ curl -v --max-time 10 https://<custom-domain>/api/v1/version
* Uses proxy env variable https_proxy == 'http://...jwt_<token>...'
* Trying 21.0.0.191:15004...
* Connected to 21.0.0.191 port 15004
* CONNECT tunnel: HTTP/1.1 negotiated
* Establish HTTP proxy tunnel to <custom-domain>:443
> CONNECT <custom-domain>:443 HTTP/1.1
< HTTP/1.1 403 Forbidden
< x-deny-reason: host_not_allowed
< server: envoy
* CONNECT tunnel failed, response 403
curl: (56) CONNECT tunnel failed, response 403
{
"iss": "anthropic-egress-control",
"iat": 1773591510, // 2026-03-15 16:18:30 UTC
"exp": 1773605910, // 2026-03-15 20:18:30 UTC
"allowed_hosts_count": 205,
"allowed_hosts": ["java.net", "registry.yarnpkg.com", "get.rvm.io", "k8s.io",
"*.googleapis.com", "java.com", "www.rust-lang.org", ...],
"wildcard_entries": ["*.googleapis.com", "*.nixos.org", "*.sentry.io",
"*.microsoftonline.com", "*.amazonaws.com", ...],
"use_egress_gateway": true
}
Steps to Reproduce
- In Claude Code settings, enable Allow network egress
- Set Domain allowlist to All domains
- Save settings
- Start a new conversation session
- Attempt to make an outbound HTTP request to a domain not on the standard
package registry allowlist (e.g., a private self-hosted service)
Claude Model
Sonnet (default)
Is this a regression?
I don't know
Last Working Version
_No response_
Claude Code Version
Claude 1.1.6679 (f8f4ff) 2026-03-13T18:26:03.000Z
Platform
Anthropic API
Operating System
Windows
Terminal/Shell
PowerShell
Additional Information
Key observation: allowed_hosts contains a fixed list of 205 specific domains/patterns. There is no * wildcard, no allow_all: true flag, and no indication that the "All domains" UI setting is reflected anywhere in the token. A custom self-hosted domain is rejected with host_not_allowed despite the org setting being configured to "All domains" for over two weeks and across multiple reinstalls/sessions.
This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗