> ## Documentation Index
> Fetch the complete documentation index at: https://docs.magic.link/llms.txt
> Use this file to discover all available pages before exploring further.

# Redirect Allowlist

> Redirect Allowlist ensures secure OAuth authentication by restricting which URLs users can be redirected to after completing authentication, preventing phishing attacks and unauthorized redirects.

## Overview

The Redirect Allowlist is a security feature that restricts which URLs users can be redirected to after completing OAuth authentication. When enabled, Magic will only allow redirects to URLs that are explicitly included in your allowlist.

### Security Benefits

<CardGroup cols={2}>
  <Card title="Phishing Prevention" icon="shield">
    Prevents attackers from redirecting users to malicious websites or phishing pages during OAuth flows.
  </Card>

  <Card title="Data Protection" icon="lock">
    Protects sensitive authentication data by ensuring users are only redirected to trusted destinations.
  </Card>
</CardGroup>

### How It Works

When a user completes OAuth authentication:

1. **URL Validation**: Magic checks the redirect URL against your allowlist
2. **Security Check**: Only pre-approved URLs are allowed for redirection
3. **User Safety**: Users are protected from being redirected to malicious sites

<Info>
  **OAuth Only**: The Redirect Allowlist is only relevant when using OAuth providers (like Google, GitHub, etc.) as your authentication method. It doesn't apply to non-OAuth authentication methods.
</Info>

## Usage

### Dashboard Configuration

<Steps>
  <Step title="Access Your Application">
    Navigate to the [Magic Dashboard](https://dashboard.magic.link) and select the application you want to configure.
  </Step>

  <Step title="Open Settings">
    Go to the **Settings** tab of your selected application.
  </Step>

  <Step title="Find Allowlist Section">
    Scroll down to the **"Allowed Origins & Redirects"** section.
  </Step>

  <Step title="Enable Redirect Allowlist">
    Toggle the **Redirect** switch to enable it.
  </Step>

  <Step title="Add Redirect URLs">
    In the text input field that appears, add the redirect URLs you want to allow. You can add multiple URLs by separating them with commas or line breaks.
  </Step>

  <Step title="Save Changes">
    Click **Save** to apply your redirect allowlist configuration.
  </Step>
</Steps>

### URL Formatting

When adding redirect URLs to your allowlist, follow these formatting rules:

<AccordionGroup>
  <Accordion title="Supported URL Formats">
    * **Web URLs**: `https://example.com`, `https://app.example.com/path`
    * **Custom schemes**: `myapp://`, `myapp://callback`
    * **Mobile deep links**: `myapp://open`, `myapp://auth/callback`
    * **Universal Links**: `https://example.com/app-link`
    * **Localhost**: `http://localhost:3000`, `http://localhost:3000/callback`
  </Accordion>

  <Accordion title="Examples">
    ```
    https://example.com
    https://app.example.com/callback
    https://staging.myapp.com/auth/success
    myapp://auth/callback
    expo://
    http://localhost:3000
    ```
  </Accordion>

  <Accordion title="Important Rules">
    * **Explicit paths**: `https://example.com` does not include `https://example.com/path`
    * **No query strings**: Query parameters and hash fragments are ignored during validation
    * **Wildcards**: Use `https://*.example.com` for subdomain wildcards
    * **Protocols**: Include the full protocol (`https://` or `http://`) for web URLs
  </Accordion>
</AccordionGroup>

### Mobile Applications

For mobile applications, you can use both **Deep Links** and **Universal Links** (App Links on Android). We recommend **Universal Links/App Links** for increased security.

<Info>
  **Mobile Deep Links**: Use custom URL schemes like `myapp://` for deep linking within your mobile app.
</Info>

<Info>
  **Universal Links**: Use HTTPS URLs that can open your mobile app when available, falling back to web if the app isn't installed.
</Info>

### Programmatic Configuration

You can manage your redirect allowlist programmatically using the Magic API. This is useful for:

* **Automated deployments**: Add redirect URLs as part of your CI/CD pipeline
* **Bulk management**: Add or remove multiple redirect URLs at once
* **Integration**: Manage redirect URLs from your own admin interface

#### Prerequisites

To use the programmatic API, you'll need your **Secret Key**:

<Steps>
  <Step title="Access Your Application">
    Navigate to a Magic app from the main dashboard landing page
  </Step>

  <Step title="Get Your Secret Key">
    On the app home page, scroll to the **API Keys** section
  </Step>

  <Step title="Copy Secret Key">
    Copy your **Secret Key** from the API Keys section
  </Step>
</Steps>

<Warning>
  **Security**: Keep your Secret Key secure and never expose it in client-side code or public repositories.
</Warning>

#### API Operations

<CodeGroup>
  ```bash List Redirects icon="list" theme={null}
  curl -X GET 'https://api.dashboard.magic.link/v1/admin/access_whitelist' \
  -H 'X-Magic-Secret-Key: sk_live_XXXXXXXX'
  ```

  ```bash Add Redirects icon="plus" theme={null}
  curl -X POST 'https://api.dashboard.magic.link/v1/admin/access_whitelist' \
  -H 'X-Magic-Secret-Key: sk_live_XXXXXXXX' \
  -H 'Content-Type: application/json' \
  -d '[
      {
          "access_type": "redirect_url",
          "value": "https://example.com/callback"
      }
  ]'
  ```

  ```bash Remove Redirects icon="minus" theme={null}
  curl -X DELETE 'https://api.dashboard.magic.link/v1/admin/access_whitelist' \
  -H 'X-Magic-Secret-Key: sk_live_XXXXXXXX' \
  -H 'Content-Type: application/json' \
  -d '{
      "access_type": "redirect_url",
      "value": "https://example.com/callback"
  }'
  ```
</CodeGroup>
