Overview
The Domain Allowlist is a security feature that restricts which domains can make requests to your Magic application. When enabled, Magic will reject all requests from domains that are not explicitly included in your allowlist.Security Benefits
API Key Protection
Prevents unauthorized usage of your public API keys by restricting access to approved domains only.
Attack Prevention
Blocks potential attacks from malicious domains attempting to use your Magic integration.
How It Works
When a request is made to your Magic application:- Domain Check: Magic verifies the requesting domain against your allowlist
- Allow/Block: Requests from allowed domains proceed normally; blocked domains receive an error
- User Notification: Blocked requests show a user-friendly error message explaining the restriction
Important: Once enabled, the Domain Allowlist applies to ALL requests to your Magic application. Make sure to add all legitimate domains before enabling this feature.
Usage
Dashboard Configuration
1
Access Your Application
Navigate to the Magic Dashboard and select the application you want to configure.
2
Open Settings
Go to the Settings tab of your selected application.
3
Find Allowlist Section
Scroll down to the “Allowed Origins & Redirects” section.
4
Enable Domain Allowlist
Toggle the Domain switch to enable it.
5
Add Domains
In the text input field that appears, add the domains you want to allow. You can add multiple domains by separating them with commas or line breaks.
6
Save Changes
Click Save to apply your domain allowlist configuration.
Domain Formatting
When adding domains to your allowlist, follow these formatting rules:Supported Domain Formats
Supported Domain Formats
- Full domains:
example.com,app.example.com - Subdomains:
*.example.com(wildcard for all subdomains) - Localhost:
localhost,localhost:3000 - IP addresses:
192.168.1.1,192.168.1.1:8080 - Protocols: Include
https://orhttp://if needed
Examples
Examples
Best Practices
Best Practices
- Use specific domains when possible instead of wildcards
- Include both
wwwand non-wwwversions if needed - Add staging and production domains separately
- Test with
localhostduring development
New Projects
For new applications created after December 15, 2023, the Domain Allowlist feature is mandatory. By default, thelocalhost domain is included for convenience during development.
Development Tip: The
localhost domain is automatically included to help with local development. Make sure to add your production domains before deploying to production.Existing Projects
For applications created before December 15, 2023, the Domain Allowlist feature is optional but highly recommended. While not enforced, warning messages will appear in your dashboard if the feature is not enabled.Security Risk: Without enabling the Domain Allowlist, your API keys remain vulnerable to unauthorized usage from any domain. We strongly recommend enabling this feature for all applications.
If a project attempts to utilize a public key on a domain not included in the application’s allowlist, a modal will appear. This modal will notify the user that an unauthorized domain is being used and that access has not been approved for that specific domain by the application.
Programmatic Configuration
You can manage your domain allowlist programmatically using the Magic API. This is useful for:- Automated deployments: Add domains as part of your CI/CD pipeline
- Bulk management: Add or remove multiple domains at once
- Integration: Manage domains from your own admin interface
Prerequisites
To use the programmatic API, you’ll need your Secret Key:1
Access Your Application
Navigate to a Magic app from the main dashboard landing page
2
Get Your Secret Key
On the app home page, scroll to the API Keys section
3
Copy Secret Key
Copy your Secret Key from the API Keys section
Security: Keep your Secret Key secure and never expose it in client-side code or public repositories.