Trusted origin
Learn how to manage your application's trusted origins.
Trusted origins are the domains you explicitly authorize to interact with our services on behalf of your application.
This authorization is enforced through Cross Origin Resource Sharing (CORS), a browser security mechanism that prevents unauthorized domains from making requests to our APIs.
Why trusted origins matter
Without proper CORS configuration, browsers will block requests from unauthorized domains, preventing them from:
- Tracking events and user behavior
- Fetching personalized content
- Accessing our client-side APIs
By maintaining a list of trusted origins, you ensure that only domains you control can interact with your application's data and services, protecting against unauthorized access and potential security breaches.
Regularly review and update your trusted origins to prevent service disruptions when deploying to new environments and to revoke access from domains you no longer use.
Examples of trusted origins
Here are some examples of valid origins and their typical use cases:
| Origin | Use case | Options |
|---|---|---|
| https://example.com | Production domain | Default |
| https://staging.example.com | Staging environment | Default |
| https://app.example.com | Specific subdomain | Default |
| http://localhost:3000 | Local development | Port and allow insecure HTTP |
| https://example.com:8080 | Custom port | Port only |
| https://*.example.com | All subdomains | Include subdomains |
When adding an origin, you only specify the domain, omitting the protocol (e.g., example.com). To allow insecure HTTP or specify a port, use the corresponding options in the origin settings.
View trusted origins
To see the list of authorized domains for your application:
Open the Application settings
Scroll down to the Trusted origins section.
Review the list of authorized domains and their configurations.
Add trusted origins
Never authorize broad domains like vercel.app or github.io, as this would allow anyone with a subdomain on these platforms (including malicious actors) to access your application's data.
To authorize a new domain for your application:
Open the Application settings
Scroll down to the Trusted origins section.
Click Add origin.
Enter the domain without the protocol (e.g., example.com).
Optionally, specify a port if your application uses a non-standard port.
Configure additional options:
- Allow any subdomain - Allow all subdomains (e.g., *.example.com)
- Allow insecure HTTP - Enable HTTP protocol in addition to HTTPS (e.g., allow both http://example.com and https://example.com)
Click Save to apply the changes.
After adding an origin, allow a few minutes for the changes to take effect across our infrastructure. If you are still experiencing CORS errors after 5 minutes, verify that the origin format exactly matches your application's URL.
Edit trusted origins
After adding an origin, you can modify its options but not the domain itself. To change the domain, you must delete the existing origin and create a new one.
To edit an origin's options:
Locate the origin in the Trusted origins list.
Click Options (), then select Edit.
Update the desired options.
Click Save to apply the changes.
Remove trusted origins
Before removing an origin, ensure no active deployments or users depend on it, as this will immediately prevent that domain from accessing our services.
To remove an authorized domain:
Open the Application settings
Scroll down to the Trusted origins section.
Find the domain you want to remove.
Click Options (), then click Delete origin.
Confirm the deletion.