Allowed domains.
Control which websites can embed your agent and send it messages.
Why restrict domains?
Your embed token is public — it appears in the script tag on your site. Without a domain allow-list, anyone who finds the token could embed your agent on their own site, consuming your message quota. Restricting to known domains prevents this.
How to configure
Open your agent → Configure tab → Widget section → Allowed domains field.
Enter one domain per line, without the protocol:
yourshop.com blog.yourshop.com staging.yourshop.com
Requests from any origin not on the list will receive a 403 Origin not allowed error.
Wildcard subdomains
A bare domain like yourshop.com also matches any subdomain ending in .yourshop.com, so blog.yourshop.com is covered automatically.
Leave blank for development
If the field is empty, requests from anyorigin are accepted. This is fine while you're building and testing locally, but recommended to lock down before going live.
Testing the restriction
After saving, open a browser's developer console on an unlisted domain and post a message. You should receive a 403 response.
Related: Website embed guide · Inline iframe guide