Add medusajs.app domain to public list

[sradevski]

Checklist of required steps

• Description of Organization

• Robust Reason for PSL Inclusion

• DNS verification via dig

• Run Syntax Checker (make test)

• Each domain listed in the PRIVATE section has and shall maintain at least two years remaining on registration, and we shall keep the _psl TXT record in place in the respective zone(s).

Submitter affirms the following:

• We are listing any third-party limits that we seek to work around in our rationale such as those between IOS 14.5+ and Facebook (see Issue #1245 as a well-documented example)

• This request was not submitted with the objective of working around other third-party limits.

• The submitter acknowledges that it is their responsibility to maintain the domains within their section. This includes removing names which are no longer used, retaining the _psl DNS entry, and responding to e-mails to the supplied address. Failure to maintain entries may result in removal of individual entries or the entire section.

• The Guidelines were carefully read and understood, and this request conforms to them.
• The submission follows the guidelines on formatting and sorting.

Abuse Contact:

• Abuse contact information (email or web form) is available and easily accessible.

  URL where abuse contact or abuse reporting form can be found:

Contact Form

---

For PRIVATE section requests that are submitting entries for domains that match their organization website's primary domain, please understand that this can have impacts that may not match the desired outcome and take a long time to rollback, if at all.

To ensure that requested changes are entirely intentional, make sure that you read the affectation and propagation expectations, that you understand them, and confirm this understanding.

PR Rollbacks have lower priority, and the volunteers are unable to control when or if browsers or other parties using the PSL will refresh or update.

(Link: about propagation/expectations)

• Yes, I understand. I could break my organization's website cookies and cause other issues, and the rollback timing is acceptable. Proceed anyways.

---

Description of Organization

MedusaJS is an open-source commerce platform made with customizability in mind. There is a corresponding Medusa Cloud solution that makes hosting and managing MedusaJS a lot easier for customers, that uses medusajs.app as the base domain. Each client receives a custom subdomain (eg. myapp.medusajs.app) per deployed environment, which is where the need for this submissions comes from.

I (Stevche) am one of the core engineers working on building and managing Medusa Cloud.

Organization Website:

https://medusajs.com/

Reason for PSL Inclusion

Medusa Cloud is a hosting solution for the MedusaJS project. It integrates with the customers' Git repositories and provides a CI/CD setup, taking care of hosting Medusa, a Postgres database, a Redis instance, and an S3-compatible file storage.

As part of each Medusa project, there can be multiple environments (eg. production, staging, etc.), and each of them gets their own unique subdomain (eg. myapp.medusajs.app). The endpoint hosts the API and admin panel for the MedusaJS app and is used as the API for building storefronts.

As Medusa is onboarding more customers, it's important that the root domain for these environments is part of the public suffix list.

Number of users this request is being made to serve:

Currently around 50-60 subdomains, expected to grow to around 500-600 in the next 2-3 months at the current pace of onboarding customers.

DNS Verification

dig +short TXT _psl.medusajs.app
"https://github.com/publicsuffix/list/pull/2211"

Results of Syntax Checker (make test)

Making clean in po
Making clean in include
Making clean in src
rm -f ./so_locations
Making clean in tools
Making clean in fuzz
Making clean in tests
Making clean in msvc
Making check in po
Making check in include
Making check in src
  CC       libpsl_la-psl.lo
  CC       libpsl_la-lookup_string_in_fixed_set.lo
  CCLD     libpsl.la
Making check in tools
  CC       psl.o
  CCLD     psl
Making check in fuzz
  CC       libpsl_fuzzer.o
  CC       main.o
  CC       libpsl_load_fuzzer.o
  CC       libpsl_load_dafsa_fuzzer.o
  CCLD     libpsl_icu_fuzzer
  CCLD     libpsl_icu_load_fuzzer
  CCLD     libpsl_icu_load_dafsa_fuzzer
PASS: libpsl_icu_load_dafsa_fuzzer
PASS: libpsl_icu_fuzzer
PASS: libpsl_icu_load_fuzzer
============================================================================
Testsuite summary for libpsl 0.21.5
============================================================================
# TOTAL: 3
# PASS:  3
# SKIP:  0
# XFAIL: 0
# FAIL:  0
# XPASS: 0
# ERROR: 0
============================================================================
Making check in tests
  CC       test-is-public.o
  CC       common.o
  CC       test-is-public-all.o
  CC       test-is-cookie-domain-acceptable.o
  CC       test-is-public-builtin.o
  CC       test-registrable-domain.o
  CCLD     test-is-public
  CCLD     test-is-cookie-domain-acceptable
  CCLD     test-is-public-all
  CCLD     test-is-public-builtin
libtool: warning: '-no-install' is ignored for aarch64-apple-darwin23.5.0
libtool: warning: '-no-install' is ignored for aarch64-apple-darwin23.5.0
libtool: warning: assuming '-no-fast-install' instead
libtool: warning: assuming '-no-fast-install' instead
libtool: warning: '-no-install' is ignored for aarch64-apple-darwin23.5.0
libtool: warning: '-no-install' is ignored for aarch64-apple-darwin23.5.0
libtool: warning: assuming '-no-fast-install' instead
libtool: warning: assuming '-no-fast-install' instead
  CCLD     test-registrable-domain
libtool: warning: '-no-install' is ignored for aarch64-apple-darwin23.5.0
libtool: warning: assuming '-no-fast-install' instead
PASS: test-is-public
PASS: test-is-public-all
PASS: test-is-cookie-domain-acceptable
PASS: test-is-public-builtin
PASS: test-registrable-domain
============================================================================
Testsuite summary for libpsl 0.21.5
============================================================================
# TOTAL: 5
# PASS:  5
# SKIP:  0
# XFAIL: 0
# FAIL:  0
# XPASS: 0
# ERROR: 0
============================================================================
Making check in msvc

[wdhdev]

• Expiration (Note: Must STAY >2y at all times)
  • medusajs.app expires 2028-11-30
• DNS _psl entries (Note: Must STAY in place)
  • _psl.medusajs.app
• Tests pass
• Sorting
• Reasoning/Organization description
• Non-personal email address
• Abuse contact

---

Notes:

• Your user count does not meet the requirements we normally enforce, which is around 1,000 users.

[simon-friedberger]

@wdhdev When I think the user count is too low, I usually don't tick the "Reasoning/Organization description" box. I agree though that this looks like a legitimate business which has been around for a few years so we can probably accept it if the other criteria are met.

@sradevski What I don't understand about this request is, what these domains are used for. It seems like any serious customer would use their own domain, right?

[sradevski]

@simon-friedberger The subdomain is used for the API endpoint calls from the storefront + the admin panel that the store will use, so they won't necessarily need a custom domain, even if they are a serious business.

For example, imagine you run a store, you wouldn't mind accessing your admin at "myadmin.medusajs.app", but your storefront would be served at "mystore.com". We only host the API + admin, we don't handle the storefronts, so very few customers need a custom domain in that case.

[sradevski]

@wdhdev we extended the validity of the domain just before I opened the PR, but it might not be reflected yet. It should be valid until end of 2028 now.

Update:
I just checked with whois and it shows up as Registry Expiry Date: 2028-11-30T10:41:46Z

[wdhdev]

@simon-friedberger Yeah, I think it would be okay to accept this as they are a fairly large project. They meet all the other criteria.

[simon-friedberger]

@sradevski You didn't list a way to report abuse.

[wdhdev]

I thought he did as well, however it seems he made it a heading, which confused me a bit:

[sradevski]

I updated the formatting a bit, I was missing a newline

[simon-friedberger]

Hm....well....this form looks like it is for trying to get information about a purchase not for reporting abuse and there is no mention of abuse on the front page.