Skip to content

Configure allowed domains

To secure use of your client-side Openfort publishable key, we strongly recommend setting allowed domains for any application in production. This is a security best practice that prevents arbitrary applications from reusing your openfortpublishable key in their own site.

You should always restrict allowed domains for any production application. This step is not necessary for the publishable key you use in staging, development, or local environments.

To configure allowed domains for your app, go to the Openfort dashboard and select your production app from the dropdown in the left sidebar. Then, navigate to the Configuration > Security.

Under Allowed Origins, list the domains that will use your production publishable key.

Allowed domains format

When listing allowed domains, please follow these guidelines:

  • The protocol https is required.
  • Trailing paths (e.g. /path) are not supported.
  • Wildcards (*) are only supported as a subdomain, e.g. *.domain.com.
    Wildcards like *.com or partial wildcards such as *-something.domain.com are not supported.
  • Localhost (http://localhost:port) is supported, but the port number must be specified.
    While supported, we do not recommend listing localhost as an allowed domain for production apps. If you must add it temporarily (e.g. for development), remember to remove it afterward.
  • Many hosting providers treat https://www.example.com and https://example.com as equivalent.
    If that's true for your app, add both versions (with and without www) as allowed origins in the dashboard.

Setting allowed domains restricts client-side access to your Openfort publishable key only. Openfort's REST API endpoints that you would query from your backend are gated by your app secret, which should never be exposed on a user's client.

Supporting preview URLs

Many hosting providers (e.g. Vercel) support preview deployment URLs to make it easy to test changes, like:

Matches the pattern *.netlify.app

Which anyone with a free Netlify account can deploy to deploy-preview-id--yoursitename.netlify.app.

For security reasons, we do not allow whitelisting domains with a generic pattern that are commonly used for these preview deployments, such as:

  • https://.netlify.app / https://.vercel.app
  • https://-projectname.netlify.app / https://-projectname.vercel.app
  • Any project can deploy to a domain that matches https://.netlify.app, https://.vercel.app, or similar. If you were to whitelist this domain for your production publishable key, any actor could set up any arbitrary deployment with your hosting provider and can use your production publishable key within their site.

If you'd like to secure your Openfort publishable key on preview deployment URLs, please check if your hosting provider allows you to map preview deployments to a stable subdomain that only you control, like:

Matches the pattern _.yoursitename.netlify.app

Which only members of your Netlify account (or hosting provider) can deploy to deploy-preview-42.yoursitename.netlify.app This allows you to list https://_.yoursitename.netlify.app under allowed domains, which arbitrary actors cannot deploy to. See instructions to set this up with Vercel or Netlify.

Allowed domains are primarily recommended for production applications. If your preview deployments use a development Openfort publishable key, feel free to leave Allowed Origins empty to support use of your publishable key in previews without the setup above.

App clients and allowed domains Within an app client, you can override Allowed origins on your app while still sharing the same user base. To add a client, go to the Configuration > App settings page > Clients tab, and find the Add app client button. Create a client and add Allowed origins.

Allowed OAuth redirect URLs Similar to allowed domains, you can configure allowed OAuth redirect URLs to restrict where users can be redirected after they log in with an external OAuth provider. This is a security best practice that prevents users from being redirected to malicious sites with their authentication token. To configure allowed OAuth redirect URLs, navigate to Configuration > App settings > Advanced on the dashboard. Add the OAuth providers are allowed to redirect to after authentication.

The URL must be an exact match for the redirect URL; query params and trailing slashes will error. The URL must be at a domain listed in allowed domains. The protocol (https) is required. Wildcards (*) are not supported. If no URLs are listed, users can be redirected to any URL.