Allowed domains

Restrict the widget to load only on hosts you own. Stops someone copying your snippet onto an unrelated site.

The widget's embed key (ek_…) is visible in your site's HTML — there's no way to keep it private. Anyone who views the source can copy it and embed your widget on their own page, then start chats that land in your inbox.

Allowed domains is the defense: a whitelist of hostnames where your widget is allowed to load.

Configuring the list

Settings → Chat → Allowed domains. Add one hostname per line:

acme.com
support.acme.com
acme.io

Save. New visitors get the widget; anyone embedding your snippet on a different host gets active: false from the init endpoint, and the bubble simply doesn't render.

Matching rules

Exact host or subdomain match. acme.com in the list matches acme.com and www.acme.com and blog.acme.com. It does not match acme.io or notacme.com.
No wildcards or regex. If you have multiple top-level domains, list each one.
Case-insensitive. Acme.com and acme.com are the same.

The check runs against the Origin header (and falls back to Referer). Visitors who block both headers — rare — fall through to "not allowed" rather than the other way around.

Leaving it empty

An empty list means allow any origin. This is the default for new workspaces because we want the widget to work right out of the box during setup. Add at least your own production domain before going live. Forgetting this is the most common pre-launch oversight.

Local development

During development the widget runs on localhost, which won't match a real domain. Either:

Leave the allowlist empty until you ship.
Add localhost to the list temporarily, remove it before launch.

We never auto-allow localhost in production.