I have two apps on Google App Engine, both running under the same account,

Question

0

Asked: June 13, 20262026-06-13T20:50:23+00:00 2026-06-13T20:50:23+00:00

I have two apps on Google App Engine, both running under the same account,

0

I have two apps on Google App Engine, both running under the same account, and one invokes services provided by the other over HTTPS. What is the recommended way of ensuring that only the first app is permitted to invoke the second?

Alternatively, is there a way to specify that given endpoint can only be invoked by an app running under the same GAE account?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-06-13T20:50:24+00:00

Have your application check for the ‘X-Appengine-Inbound-Appid’ header and make sure the app ID is correct. This header only exists if the request was made by another Google App Engine app and cannot be modified by users.

If you are using Python, you could do the following:

import webapp2

AUTHORIZED_APPS = ('my-first-app', 'my-other-app')

class MyHandler(webapp2.RequestHandler):
    def dispatch(self):
        app_id = self.request.headers.get('X-Appengine-Inbound-Appid', None)

        if app_id in AUTHORIZED_APPS:   
            super(MyHandler, self).dispatch()
        else:
            self.abort(403)

That will raise a 403 for any request that does not have an X-Appengine-Inbound-Appid in its header.

Also, when making requests from one application to another using urlfetch, make sure you set follow_redirects=False or the header does not get added.

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I have two apps on Google App Engine, both running under the same account,

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply