Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.wearo.io/llms.txt

Use this file to discover all available pages before exploring further.

Domain whitelist

Restrict your API key so it only works on domains you control. This limits exposure if your key is ever scraped from your front-end code.

How to configure

  1. In your dashboard, go to API Keys.
  2. Click the key you want to restrict.
  3. Under Domain restrictions, add your domains.

How matching works

There are exactly two rules:
EntryMatches
kookai.frkookai.fr exactly, plus any subdomain (www.kookai.fr, shop.kookai.fr, etc.)
staging.kookai.frstaging.kookai.fr exactly, plus its subdomains
No regex, no wildcard syntax — entering kookai.fr is enough to cover your entire domain and all its subdomains.

Effect on requests

  • Widget requests include an Origin header automatically (set by the browser)
  • Direct API calls must include an Origin header manually when restrictions are active
  • Requests from non-whitelisted origins receive 403 Domain not authorized

Server-to-server calls

Server-side calls don’t have a browser Origin. Two options:
  1. Remove domain restrictions for keys used exclusively server-side
  2. Add your server’s domain to the whitelist and send it as the Origin header
curl -X POST "https://..." \
  -H "X-API-Key: wearo_xxx" \
  -H "Origin: https://api.mystore.com" \
  ...