> ## Documentation Index
> Fetch the complete documentation index at: https://docs.wearo.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Domain whitelist

> Restrict your Wearo API key to specific domains to prevent unauthorized use.

# Domain whitelist

Restrict your API key so it only works on domains you control.
This limits exposure if your key is ever scraped from your front-end code.

## How to configure

1. In your dashboard, go to **API Keys**.
2. Click the key you want to restrict.
3. Under **Domain restrictions**, add your domains.

## How matching works

There are exactly two rules:

| Entry               | Matches                                                                               |
| ------------------- | ------------------------------------------------------------------------------------- |
| `kookai.fr`         | `kookai.fr` exactly, **plus** any subdomain (`www.kookai.fr`, `shop.kookai.fr`, etc.) |
| `staging.kookai.fr` | `staging.kookai.fr` exactly, plus its subdomains                                      |

No regex, no wildcard syntax — entering `kookai.fr` is enough to cover your entire domain and all its subdomains.

## Effect on requests

* Widget requests include an `Origin` header automatically (set by the browser)
* Direct API calls must include an `Origin` header manually when restrictions are active
* Requests from non-whitelisted origins receive `403 Domain not authorized`

## Server-to-server calls

Server-side calls don't have a browser `Origin`. Two options:

1. **Remove domain restrictions** for keys used exclusively server-side
2. **Add your server's domain** to the whitelist and send it as the `Origin` header

```bash theme={"dark"}
curl -X POST "https://..." \
  -H "X-API-Key: wearo_xxx" \
  -H "Origin: https://api.mystore.com" \
  ...
```
