Domain whitelist
Restrict your API key so it only works on domains you control. This limits exposure if your key is ever scraped from your front-end code.How to configure
- In your dashboard, go to API Keys.
- Click the key you want to restrict.
- Under Domain restrictions, add your domains.
How matching works
There are exactly two rules:| Entry | Matches |
|---|---|
kookai.fr | kookai.fr exactly, plus any subdomain (www.kookai.fr, shop.kookai.fr, etc.) |
staging.kookai.fr | staging.kookai.fr exactly, plus its subdomains |
kookai.fr is enough to cover your entire domain and all its subdomains.
Effect on requests
- Widget requests include an
Originheader automatically (set by the browser) - Direct API calls must include an
Originheader manually when restrictions are active - Requests from non-whitelisted origins receive
403 Domain not authorized
Server-to-server calls
Server-side calls don’t have a browserOrigin. Two options:
- Remove domain restrictions for keys used exclusively server-side
- Add your server’s domain to the whitelist and send it as the
Originheader