Origin allowlist
Lock your publishable key to the domains you actually run on.
Your publishable key sits in the HTML of any page where you've embedded the configurator — so by definition, it's not a secret. The origin allowlist stops anyone else from picking it up and using it on their own site to spam your CRM with fake leads.
How it works
For every request to /api/widget/v1/config and /api/widget/v1/submit,
we check the Origin (or Referer) header against the allowlist on your
publishable key. If the header isn't on the list, we return 403 Forbidden.
If the allowlist is empty, all origins are accepted. We recommend setting an allowlist as soon as you go live — the only reason to leave it open is for testing.
Setting the allowlist
- Open API keys in the dashboard.
- Click the key you want to restrict.
- Add domains, one per line. Use the bare hostname — no protocol, no path.
- Save.
Wildcards
Subdomain wildcards work: *.example.com matches www.example.com,
book.example.com, preview.example.com — but not example.com
itself. To cover both, list them separately:
example.com
*.example.com
Local development
Add localhost and 127.0.0.1 while testing. Remove them before going
live. Or use a separate test publishable key (pk_test_…) for local work
and reserve the live key for production.
What rejected requests look like
The widget displays a small error: "This configurator isn't authorised on this domain." The browser console shows a 403 from the API. In the dashboard, you'll see the Last used at timestamp on the key not advancing.
Some browsers strip the Origin header on cross-origin requests
in unusual setups (e.g. older Safari with strict ITP). If you've set an allowlist
and the widget breaks, try testing in a different browser to isolate the issue before
assuming it's our problem.
What it doesn't protect against
The allowlist stops casual abuse. A motivated attacker can spoof the Origin header
on a non-browser request — but they still hit your rate limits and trip our spam protection. If
you're seeing unusual traffic, contact us and we can lock down further.
Something missing or wrong? Tell us.
Updated regularly. UK English. No AI slop.