Documentation

Allowed domains

Lock your embed key to specific websites so only your own sites can use it.

What is domain allowlisting?

Your embed key is a public identifier — anyone who finds it in your HTML could technically use it on their own site. Domain allowlisting lets you restrict which websites are allowed to load your feed. Requests from unlisted origins receive a 403 Forbidden response.

Default behaviour: If no domains are added, your feed can be embedded on any website. This is fine for most use cases. Add domains only if you want to restrict access.

How to add allowed domains

  1. 1Go to the dashboard → Feeds → click your feed.
  2. 2Click Settings (or the edit button).
  3. 3Find the Allowed domains field.
  4. 4Enter each domain on its own line, without https:// or paths. Example: example.com
  5. 5Save. Changes take effect immediately.

Domain format

Enter bare hostnames only — no protocol, no path, no port:

example.com
www.example.com
shop.example.com
https://example.com(no protocol)
example.com/page(no paths)
example.com:8080(no ports)

Subdomain matching

Adding example.com to your allowlist will also permit requests from any subdomain of that domain — e.g. www.example.com, shop.example.com, etc. If you only want a specific subdomain, add it explicitly instead.

Local development

If you have domains configured and are testing locally, add localhost to your allowlist temporarily. Remember to remove it when you’re done.

Tip: Create a separate development feed with localhost allowed, and a separate production feed for your live domain. That way you never have to edit your production allowlist during development.