[BUG] Allow network egress - All domains' setting not reflected in session proxy JWT

Open 💬 1 comment Opened Mar 15, 2026 by tylerwhardy

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

Summary

When Allow network egress is enabled with Domain allowlist set to All
domains
, the egress proxy still enforces a restrictive hardcoded allowlist of
specific domains rather than permitting all outbound traffic.

Actual Behavior

The egress proxy returns 403 Forbidden with x-deny-reason: host_not_allowed.

Inspecting the proxy's https_proxy JWT (visible in curl -v output) reveals
the token contains an explicit allowed_hosts field listing specific well-known
package registries and development services — not a wildcard. The "All domains"
setting is not reflected in the issued JWT.

Additional Context

  • The setting has been configured for multiple weeks, ruling out a propagation delay
  • Starting a new session does not resolve the issue — the JWT is still minted

with the restrictive allowlist

  • The JWT has iat/exp fields confirming it is issued at session start,

suggesting session initialization does not correctly read the current allowlist policy

Impact

Users with legitimate use cases requiring access to private/self-hosted
infrastructure (e.g., internal services, private registries, on-prem tooling)
are blocked even after explicitly configuring unrestricted egress access.

What Should Happen?

All outbound domains should be accessible, as indicated by the UI message:
"Claude can access all domains on the internet."

Error Messages/Logs

$ curl -v --max-time 10 https://<custom-domain>/api/v1/version

* Uses proxy env variable https_proxy == 'http://...jwt_<token>...'
* Trying 21.0.0.191:15004...
* Connected to 21.0.0.191 port 15004
* CONNECT tunnel: HTTP/1.1 negotiated
* Establish HTTP proxy tunnel to <custom-domain>:443

> CONNECT <custom-domain>:443 HTTP/1.1

< HTTP/1.1 403 Forbidden
< x-deny-reason: host_not_allowed
< server: envoy

* CONNECT tunnel failed, response 403
curl: (56) CONNECT tunnel failed, response 403




{
  "iss": "anthropic-egress-control",
  "iat": 1773591510,  // 2026-03-15 16:18:30 UTC
  "exp": 1773605910,  // 2026-03-15 20:18:30 UTC
  "allowed_hosts_count": 205,
  "allowed_hosts": ["java.net", "registry.yarnpkg.com", "get.rvm.io", "k8s.io",
                    "*.googleapis.com", "java.com", "www.rust-lang.org", ...],
  "wildcard_entries": ["*.googleapis.com", "*.nixos.org", "*.sentry.io",
                       "*.microsoftonline.com", "*.amazonaws.com", ...],
  "use_egress_gateway": true
}

Steps to Reproduce

  1. In Claude Code settings, enable Allow network egress
  2. Set Domain allowlist to All domains
  3. Save settings
  4. Start a new conversation session
  5. Attempt to make an outbound HTTP request to a domain not on the standard

package registry allowlist (e.g., a private self-hosted service)

Claude Model

Sonnet (default)

Is this a regression?

I don't know

Last Working Version

_No response_

Claude Code Version

Claude 1.1.6679 (f8f4ff) 2026-03-13T18:26:03.000Z

Platform

Anthropic API

Operating System

Windows

Terminal/Shell

PowerShell

Additional Information

Key observation: allowed_hosts contains a fixed list of 205 specific domains/patterns. There is no * wildcard, no allow_all: true flag, and no indication that the "All domains" UI setting is reflected anywhere in the token. A custom self-hosted domain is rejected with host_not_allowed despite the org setting being configured to "All domains" for over two weeks and across multiple reinstalls/sessions.

View original on GitHub ↗

This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗