Title: Request egress allowlist addition: api.kroger.com:443

Resolved 💬 1 comment Opened Jun 29, 2026 by parker-schwarz Closed Jun 29, 2026

Preflight Checklist

  • [x] I have searched existing requests and this feature hasn't been requested yet
  • [x] This is a single feature request (not multiple features)

Problem Statement

I'm running a household automation agent in a Claude Code cloud environment. The agent needs to call the Kroger API (api.kroger.com) to manage a grocery pickup cart — OAuth token exchange, product search, and cart add calls. The cloud environment's egress proxy blocks api.kroger.com:443 with a 403, making the entire agent non-functional in the cloud. I currently have to run the OAuth flow locally and manually copy tokens back to the cloud environment as a workaround.

Proposed Solution

Allow users to configure a custom egress allowlist per cloud environment in the Claude Code web UI. Specifically, I'd like api.kroger.com:443 added to the allowlist for my "Meal Planning Agent" environment. Ideally, users could manage this themselves in environment settings rather than needing to file an issue each time.

Alternative Solutions

Currently working around it by running the Kroger OAuth flow locally, then copying the resulting tokens.json content into a KROGER_TOKENS environment variable in the cloud environment so the session-start hook can restore them. This is fragile — tokens expire and need periodic refresh, which also can't happen in the cloud.

Priority

Critical - Blocking my work

Feature Category

CLI commands and flags

Use Case Example

  1. I have a "Meal Planning Agent" cloud environment in Claude Code that automates weekly grocery shopping via the Kroger API
  2. Every Sunday, I run /fill-cart which calls api.kroger.com to search products and add items to my Smith's pickup cart
  3. The session-start hook installs deps and restores credentials automatically
  4. Without api.kroger.com access, every Kroger API call fails with a 403 from the egress proxy — the agent cannot function at all in the cloud

Additional Context

Blocked host: api.kroger.com:443
Error from proxy status endpoint: "gateway answered 403 to CONNECT (policy denial or upstream failure)"
Environment: "Meal Planning Agent" cloud environment (separate from Default)
The Kroger API is a standard REST API over HTTPS/443 — no gRPC, no WebSockets, no unusual protocol requirements.

View original on GitHub ↗

This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗