> ## Documentation Index
> Fetch the complete documentation index at: https://docs.magic.link/llms.txt
> Use this file to discover all available pages before exploring further.

# Domain Allowlist

> Domain Allowlist allows your application to be secure-by-default, meaning that it establishes a strong security posture right from the start, and only permits communication with specific domains that have been explicitly approved.

## Overview

The Domain Allowlist is a security feature that restricts which domains can make requests to your Magic application. When enabled, Magic will reject all requests from domains that are not explicitly included in your allowlist.

### Security Benefits

<CardGroup cols={2}>
  <Card title="API Key Protection" icon="shield">
    Prevents unauthorized usage of your public API keys by restricting access to approved domains only.
  </Card>

  <Card title="Attack Prevention" icon="lock">
    Blocks potential attacks from malicious domains attempting to use your Magic integration.
  </Card>
</CardGroup>

### How It Works

When a request is made to your Magic application:

1. **Domain Check**: Magic verifies the requesting domain against your allowlist
2. **Allow/Block**: Requests from allowed domains proceed normally; blocked domains receive an error
3. **User Notification**: Blocked requests show a user-friendly error message explaining the restriction

<Warning>
  **Important**: Once enabled, the Domain Allowlist applies to ALL requests to your Magic application. Make sure to add all legitimate domains before enabling this feature.
</Warning>

## Usage

### Dashboard Configuration

<Steps>
  <Step title="Access Your Application">
    Navigate to the [Magic Dashboard](https://dashboard.magic.link) and select the application you want to configure.
  </Step>

  <Step title="Open Settings">
    Go to the **Settings** tab of your selected application.
  </Step>

  <Step title="Find Allowlist Section">
    Scroll down to the **"Allowed Origins & Redirects"** section.
  </Step>

  <Step title="Enable Domain Allowlist">
    Toggle the **Domain** switch to enable it.
  </Step>

  <Step title="Add Domains">
    In the text input field that appears, add the domains you want to allow. You can add multiple domains by separating them with commas or line breaks.
  </Step>

  <Step title="Save Changes">
    Click **Save** to apply your domain allowlist configuration.
  </Step>
</Steps>

<Frame>
  <img src="https://mintcdn.com/magic-newton/1GYf0YW8BthDpWqo/images/Configuration-view.webp?fit=max&auto=format&n=1GYf0YW8BthDpWqo&q=85&s=484af400967855b0f6ec4cd0dd06fe68" alt="Domain allowlist configuration interface in Magic Dashboard" width="1200" height="815" data-path="images/Configuration-view.webp" />
</Frame>

### Domain Formatting

When adding domains to your allowlist, follow these formatting rules:

<AccordionGroup>
  <Accordion title="Supported Domain Formats">
    * **Full domains**: `example.com`, `app.example.com`
    * **Subdomains**: `*.example.com` (wildcard for all subdomains)
    * **Localhost**: `localhost`, `localhost:3000`
    * **IP addresses**: `192.168.1.1`, `192.168.1.1:8080`
    * **Protocols**: Include `https://` or `http://` if needed
  </Accordion>

  <Accordion title="Examples">
    ```
    example.com
    app.example.com
    *.example.com
    localhost:3000
    https://staging.myapp.com
    ```
  </Accordion>

  <Accordion title="Best Practices">
    * Use specific domains when possible instead of wildcards
    * Include both `www` and non-`www` versions if needed
    * Add staging and production domains separately
    * Test with `localhost` during development
  </Accordion>
</AccordionGroup>

### New Projects

For new applications created after December 15, 2023, the Domain Allowlist feature **is mandatory**. By default, the `localhost` domain is included for convenience during development.

<Info>
  **Development Tip**: The `localhost` domain is automatically included to help with local development. Make sure to add your production domains before deploying to production.
</Info>

### Existing Projects

For applications created before December 15, 2023, the Domain Allowlist feature is **optional but highly recommended**. While not enforced, warning messages will appear in your dashboard if the feature is not enabled.

<Warning>
  **Security Risk**: Without enabling the Domain Allowlist, your API keys remain vulnerable to unauthorized usage from any domain. We strongly recommend enabling this feature for all applications.
</Warning>

<Frame>
  <img src="https://mintcdn.com/magic-newton/1GYf0YW8BthDpWqo/images/Allowlist-entry-point.webp?fit=max&auto=format&n=1GYf0YW8BthDpWqo&q=85&s=9bd5d56b49ce8ebf7b279bec46053d0d" alt="Domain allowlist entry point in Magic Dashboard" width="1200" height="815" data-path="images/Allowlist-entry-point.webp" />
</Frame>

<Note>
  If a project attempts to utilize a public key on a domain not included in the application's allowlist, a modal will appear. This modal will notify the user that an unauthorized domain is being used and that access has not been approved for that specific domain by the application.
</Note>

<Frame>
  <img src="https://mintcdn.com/magic-newton/1GYf0YW8BthDpWqo/images/Blocked-domain.webp?fit=max&auto=format&n=1GYf0YW8BthDpWqo&q=85&s=8014ea7546758957d79da9da667e9d7f" alt="Error message shown to users when accessing from unauthorized domains" width="1200" height="781" data-path="images/Blocked-domain.webp" />
</Frame>

### Programmatic Configuration

You can manage your domain allowlist programmatically using the Magic API. This is useful for:

* **Automated deployments**: Add domains as part of your CI/CD pipeline
* **Bulk management**: Add or remove multiple domains at once
* **Integration**: Manage domains from your own admin interface

#### Prerequisites

To use the programmatic API, you'll need your **Secret Key**:

<Steps>
  <Step title="Access Your Application">
    Navigate to a Magic app from the main dashboard landing page
  </Step>

  <Step title="Get Your Secret Key">
    On the app home page, scroll to the **API Keys** section
  </Step>

  <Step title="Copy Secret Key">
    Copy your **Secret Key** from the API Keys section
  </Step>
</Steps>

<Warning>
  **Security**: Keep your Secret Key secure and never expose it in client-side code or public repositories.
</Warning>

#### API Operations

<CodeGroup>
  ```bash List Domains icon="list" theme={null}
  curl -X GET 'https://api.dashboard.magic.link/v1/admin/access_whitelist' \
  -H 'X-Magic-Secret-Key: sk_live_XXXXXXXX'
  ```

  ```bash Add Domains icon="plus" theme={null}
  curl -X POST 'https://api.dashboard.magic.link/v1/admin/access_whitelist' \
  -H 'X-Magic-Secret-Key: sk_live_XXXXXXXX' \
  -H 'Content-Type: application/json' \
  -d '[
      {
          "access_type": "domain",
          "value": "example.com"
      }
  ]'
  ```

  ```bash Remove Domains icon="minus" theme={null}
  curl -X DELETE 'https://api.dashboard.magic.link/v1/admin/access_whitelist' \
  -H 'X-Magic-Secret-Key: sk_live_XXXXXXXX' \
  -H 'Content-Type: application/json' \
  -d '{
      "access_type": "domain",
      "value": "example.com"
  }'
  ```
</CodeGroup>
