Domain allowlist
Each workspace carries a domain allowlist. When it is set, the API rejects embed requests coming from any origin that is not on the list — so a copied embed snippet will not run on someone else’s site.
How it works
Section titled “How it works”- The embed reports the host page’s origin with each viewer request.
- The API checks it against the workspace allowlist.
- Origins not on the list receive HTTP 403 with the error code
EMBED_DOMAIN_NOT_ALLOWED, and the embed stays empty.
- Empty list = open. If you never configure the allowlist, the embed runs anywhere.
- Wildcards are supported:
*.example.commatches every subdomain ofexample.com. - First-party is always allowed. Togenar’s own share links, launcher pages and the panel preview keep working regardless of the list.
Configure it
Section titled “Configure it”In the panel: Workspace → Settings → Embed → Allowed domains. Enter one domain per line, e.g.:
shop.example.com*.example.deChanges apply to new viewer loads immediately.
Troubleshooting
Section titled “Troubleshooting”The embed renders an empty frame and the network tab shows a 403 with
EMBED_DOMAIN_NOT_ALLOWED? The page’s origin is missing from the allowlist. Remember that
www.example.com and example.com are different origins — list both or use a
wildcard.
