Allowed Origins

Allowed origins lock your site's challenge and verify endpoints to specific domains, so a stolen API key can't be used from someone else's website.

Configuring

Open the site's Origins tab in the console and add each domain that should be allowed to call your endpoints. Use the full scheme + host form, with no trailing slash:

https://example.com
https://www.example.com
https://app.example.com

How the check works

1. The server reads the Origin header (falling back to Referer).
2. If neither header is present, the request is allowed — useful for server-to-server calls.
3. Loopback hosts (localhost, 127.0.0.1, ::1) are always allowed for local development.
4. If you haven't configured any origins yet, the check is skipped.
5. Otherwise the request's origin must match one of the configured entries exactly, or it gets a 403 Origin not allowed.

Tips

• List every subdomain you serve protected forms from. Wildcards aren't supported by design.
• Keep http:// entries out of production lists — only add them for staging or local testing.
• Removing an origin takes effect immediately on the next request.