Respos·ai← Back to journal
§ Docs · Allowed domains

Allowed domains.

Control which websites can embed your agent and send it messages.

Why restrict domains?

Your embed token is public — it appears in the script tag on your site. Without a domain allow-list, anyone who finds the token could embed your agent on their own site, consuming your message quota. Restricting to known domains prevents this.

How to configure

Open your agent → Configure tab → Widget section → Allowed domains field.

Enter one domain per line, without the protocol:

yourshop.com
blog.yourshop.com
staging.yourshop.com

Requests from any origin not on the list will receive a 403 Origin not allowed error.

Wildcard subdomains

A bare domain like yourshop.com also matches any subdomain ending in .yourshop.com, so blog.yourshop.com is covered automatically.

Leave blank for development

If the field is empty, requests from anyorigin are accepted. This is fine while you're building and testing locally, but recommended to lock down before going live.

Testing the restriction

After saving, open a browser's developer console on an unlisted domain and post a message. You should receive a 403 response.


Related: Website embed guide · Inline iframe guide