[Change] Infrastructure (CDN) rollout and potential new 400 & 403 errors


We are integrating with a new Content Delivery Network (CDN) to serve Asana requests more efficiently. For most Asana API users, this change should have no negative impact. In rare cases (described below), some requests may begin to fail because our new CDN has more stringent requirements for HTTPS requests. We plan to start a gradual rollout on or after January 17. You can preview the change by sending API traffic to https://cdn.app.asana.com/api/1.0/.

Who is affected

These are the backwards-incompatible scenarios we know of. We will update this post if we find any others.

  • GET requests with a body Historically, our API has been lenient in accepting GET requests with a body and ignoring the body content. Moving forward, any GET requests with a body will be rejected with an error.

  • TLSv1.2 cipher changes - We will only support the set of ciphers listed here TLSv1.2_2019.


We will begin a gradual rollout of this change on or after January 17th and update this forum topic with any significant changes to that timeline.

Migration steps

  • Before we make the change, you can test against the new infrastructure by making requests to https://cdn.app.asana.com/api/1.0/ as your API base URL instead of https://app.asana.com/api/1.0/

  • If you encounter a critical problem during the January 2024 rollout, you can temporarily make requests to https://deprecated-api.asana.com/api/1.0 to route requests to our older infrastructure. We intend to remove this option on March 1, 2024.

Why we’re making this change

  • Improved performance - This infrastructure change is a big step towards being able to serve API requests from regions closer to our customers. This should reduce latency (especially outside of North America) and improve API response times.

  • HTTP/2 Support - We’ll be ready to accept HTTP/2 requests from clients that support it.


While we’ve conducted testing to uncover the issues mentioned above, this change may cause requests to fail in uncommon scenarios we haven’t identified. We have emailed the owners of apps where our logging indicates the app is making GET requests with a body.

If you do encounter errors for requests that previously succeeded, please leave a comment below with the following details:

  • Your full HTTP request. Please make sure to omit your API token or any secrets

  • The x-amz-cf-id in the response if possible

  • Any other details and context about your request

Asana’s DevRel, Product, and Engineering teams will be actively monitoring this topic. Leaving a comment here is the quickest way to get support on any issues related to the new CDN.

We believe this change will ultimately be a big improvement. Thank you for your understanding as we work through any issues. We value your feedback so please don’t hesitate to share your thoughts or questions. Subscribe for updates.

Jan. 19th Update:

We began the CloudFront rollout yesterday. We’re monitoring relative error rates to catch any other potential unknown HTTP specification enforcements besides GET bodies. We’re adding individual countries in order to gradually increase traffic as we monitor error rates.

As of 20:17 UTC, these countries are routing to new CDN: Canada, Brazil, Netherlands, Belgium, Italy, Germany, Finland, Iceland, Sweden, Denmark, Norway, Australia, Japan

Jan. 22nd Update:

As of 17:21 UTC, these additional countries have been added: Philippines, Indonesia, Mexico, Egypt, Turkey, Argentina, Poland, France, India, South Korea, Portugal, Spain.

As of 23:25 UTC, the state of California has been added to CloudFront.

We plan to roll out to 100% in the next 24-36 hours.

Jan. 23rd Update:

We’re continuing to add countries and US states. Error rates between geographies existing infrastructure and CloudFront look similar and we

Jan. 25rd Update:

We have rolled CloudFront to 100% as of 14:30 UTC today.


@Jeff_Schneider and team,

Thanks for providing:

I just used it to verify that Asana2Go will work fine with the new, improved API access.




We previously said https://deprecated-api.asana.com/api/1.0 would be moved on March 1, 2024. It’s still active, but will be disabled in the coming weeks.

In the meantime, these TLS ciphers will no longer be supported on https://deprecated-api.asana.com/api/1.0 .

  • AES128-GCM-SHA256
  • AES128-SHA
  • AES128-SHA256
  • AES256-GCM-SHA384
  • AES256-SHA
  • AES256-SHA256
1 Like