Solved: Re: Custom App deployment

AjithaN · ‎26 Feb 2026

Hi All,

I was trying to create a Custom App which is having functionality to create Dynatrace workflows based on the data provided in the application. I was able to run the application successfully , but not able to deploy it even in lower tenants.

When trying to deploy it using npm run deploy command, I'm getting the error as below

✔ Creating bundles...
✔ Built the app
✔ Validating manifest
✔ Compressed app artifact
✖ Failed to deploy the app
Error: Failed to install the app
HTTP 400 Bad Request

Manifest of app 'my.workflow.app' violates schema

Only apps that are provided by Dynatrace can use the 'automation:workflows:write' scope.

I believe that its related to the workflow.write scope been added in the appconfig, but since the functionality involves creation of workflows, I cannot remove this scope as well. Is there any workaround to bypass this issue and deploy the app successfully. Please suggest

doesterr · ‎26 Feb 2026

Hi AjithaN,
This restriction can't be bypassed, as it's an important measure to prevent a custom app from doing more than it should.

While your app can't create the workflow programmatically, you can still let users of your app create workflows by using intents. You can find more about this here: https://developer.dynatrace.com/develop/guides/workflows/use-intents/

AjithaN · ‎27 Feb 2026

Thanks for the response. Let me have a look at this and come back

AjithaN · ‎07 Apr 2026

I was able to fulfill the requirement and create the workflow this way(Just that I made the Deploy functionality of the workflow to be done from Workflows UI itself to bypass the automation:workflows:write scope.

Now I am trying to improve the app by trying to build the capability to create Anomaly Rules based on the input provided in the App. From the developer documentation, I understand that this is possible with Settings API /Dynatrace SDK. I tried some of the below approaches , but didnt get a successful outcome.

1) Create Anomaly Rules Directly from the App using Settings API

The app backend could not communicate securely with the Dynatrace tenant API ---> invalid peer certificate: UnknownIssuer

2) Create Anomaly Rules from the App backend using Dynatrace SDK -->no equivalent methods found for creation of Anomaly rules

3)Use Dynatrace Workflows HTTP action to call Settings API --> NotCapable: Blocked request to 'els27805'
(host not in allowlist)

Can you suggest if there is a reliable/feasible approach to fulfill this requirement,or this again has limitations.?

Maheedhar_T · ‎08 Apr 2026

Hi @AjithaN ,
For host not in allow list, you can go to settings (New) -> General -> External requests and add patterns like <tenant-id>.apps.dynatrace.com and <tenant-id>.live.dynatrace.com

Maheedhar

doesterr · ‎08 Apr 2026

Thanks for jumping in, @Maheedhar_T !

@AjithaN , here is more info: https://developer.dynatrace.com/develop/guides/app-functions/allow-outbound-connections/

AjithaN · ‎10 Apr 2026

Thanks for the response. But May I ask you one thing. How the <tenant-id>.apps.dynatrace.com comes as a external request.. Its in this same tenant and link that we are running the workflow or the custom App.

Any hints on the Settings API error if we wanted to have the API call from a custom App

doesterr · ‎10 Apr 2026

About the external requests:
After some testing myself with doing HTTP Requests from a Workflow to your own tenant, I could spot a difference, depending on the API you're accessing:

A request to the Hub API, e.g. https://<tenant-id>.apps.dynatrace.com/platform/hub/v1/catalog/apps succeeds
A request to the Environment API v2, e.g. https://<tenant-id>.live.dynatrace.com/api/v2/settings/objects fails with the "host not in allowlist" error.

But notice the difference, the domain of the Environment API v2 is different than your normal tenant domain (it's ".live." instead of ".apps."). After adding <tenant-id>.live.dynatrace.com to the allow list, the HTTP Request in my workflow succeeded.

About the Invalid peer certificate: UnknownIssuer error:
If you're not using the Classic Environment V2 SDK yet for your request to the API from your app, I'd recommend giving this a try.
https://developer.dynatrace.com/develop/sdks/client-classic-environment-v2/#settingsobjectsclient

AjithaN · ‎22 Apr 2026

Hi,

Thanks again for responding. While, I guess I tried this approach as well using DYnatrace SDk.

Basically, I tried 2 approaches now .

1) Settings API (direct API calls )

Calling Dynatrace’s Settings API endpoints directly

const url =

"https://{environmentid}.apps.dynatrace.com/api/v2/settings/objects";

const response = await fetch(url, {

method: "POST",

headers: {

"Content-Type": "application/json",

"Authorization": `Bearer ${process.env.DT_API_TOKEN}`

},

-->Received invalid peer certificate

2) Using Dynatrace SDK (settingsObjectsClient)

Here I saw , two types of errors: settingsObjectsClient.postSettingsObjects(...)

Method-related errors, e.g.:

TypeError: settingsObjectsClient.createSettingsObjects is not a function

And later, even with the correct method: settingsObjectsClient.postSettingsObjects(...)

invalid peer certificate: UnknownIssuer

doesterr · ‎24 Apr 2026

Using the Dynatrace SDK from within an app function is the correct approach. Are you maybe trying to use it from the UI rather than an app function?

AjithaN · ‎24 Apr 2026

If using the settingsObjectsClient inside *.function.ts file is what you refer by app function, then yes I was using it that way only. It looks like the invalid peer certificate error comes at the time of sending request itself before it looks for any authentication/token.So seems to be something at the network layer. Any opinions/suggestions would be of great help.

doesterr · ‎29 Apr 2026

Can you share the code of your app function? (the *.function.ts) file.
And have you added "<tenant-id>.live.dynatrace.com" to Settings → General → External Requests?

AjithaN · ‎29 Apr 2026

here is my createRule.function.ts file using settingsObjectClient. <tenant-id>.live.dynatrace.com is already there in the external requests host pattern.

import {settingsObjectsClient}

from "@dynatrace-sdk/client-classic-environment-v2";

export default async function (payload: any) {

try {

if (!payload) {

return {

success: false,

error: "Payload missing",

};

}

// ✅ IMPORTANT:

// postSettingsObjects expects an ARRAY, not { objects: [...] }

const result = await settingsObjectsClient.postSettingsObjects({

body: [

{

schemaId: "builtin:davis.anomaly-detectors",

scope: "environment",

value: {

title: payload.ruleName, // ✅ correct field for your tenant

enabled: true,

cpuUsage: {

enabled: true,

threshold: payload.threshold,

},

memoryUsage: {

enabled: false,

},

tagFilters: payload.entityTags,

},

],

});

return {

success: true,

result,

};

} catch (err: any) {

console.error("ERROR:", err.message);

return {

success: false,

error: err.message,

};

}

doesterr · ‎30 Apr 2026

Thanks! There's nothing wrong with that implementation.

Are you hitting the certificate error when running locally (npm run dev) or when the app and it's app function is deployed to the tenant?

If locally, then maybe something in your corporate network is in the way. In that case, talking to your IT team to obtain the right CA cert and setting it via NODE_EXTRA_CA_CERTS might do the trick.

If deployed, that would mean that something is not right on your tenant - in that case please open a support ticket so they can have a closer look.

I hope this helps to get you closer to the real solution 🤞