Is there an issue with exposing /refill-beans publicly, but just locking down access (e.g. enforcing some kind of authorization token for that endpoint)?
Then to access /refill-beans from another app in your org, use the .internal domain plus the authorization token. If your service is behind Cloudflare, you can lock down /refill-beans further by making a page rule to block all requests to that path.
Building some kind of authorization is doable, was just exploring if there’s some way to do it via network. I guess I’ll also try running two ports for the same service - one publicly exposed, and one only for internal routes