innkept

Origin allowlist

Lock your publishable key to the domains you actually run on.

Your publishable key sits in the HTML of any page where you've embedded the configurator — so by definition, it's not a secret. The origin allowlist stops anyone else from picking it up and using it on their own site to spam your CRM with fake leads.

How it works

For every request to /api/widget/v1/config and /api/widget/v1/submit, we check the Origin (or Referer) header against the allowlist on your publishable key. If the header isn't on the list, we return 403 Forbidden.

If the allowlist is empty, all origins are accepted. We recommend setting an allowlist as soon as you go live — the only reason to leave it open is for testing.

Setting the allowlist

  1. Open API keys in the dashboard.
  2. Click the key you want to restrict.
  3. Add domains, one per line. Use the bare hostname — no protocol, no path.
  4. Save.

Wildcards

Subdomain wildcards work: *.example.com matches www.example.com, book.example.com, preview.example.com — but not example.com itself. To cover both, list them separately:

example.com
*.example.com

Local development

Add localhost and 127.0.0.1 while testing. Remove them before going live. Or use a separate test publishable key (pk_test_…) for local work and reserve the live key for production.

What rejected requests look like

The widget displays a small error: "This configurator isn't authorised on this domain." The browser console shows a 403 from the API. In the dashboard, you'll see the Last used at timestamp on the key not advancing.

Some browsers strip the Origin header on cross-origin requests in unusual setups (e.g. older Safari with strict ITP). If you've set an allowlist and the widget breaks, try testing in a different browser to isolate the issue before assuming it's our problem.

What it doesn't protect against

The allowlist stops casual abuse. A motivated attacker can spoof the Origin header on a non-browser request — but they still hit your rate limits and trip our spam protection. If you're seeing unusual traffic, contact us and we can lock down further.

Something missing or wrong? Tell us.

Updated regularly. UK English. No AI slop.