Skip to content

Domain allowlist

Each workspace carries a domain allowlist. When it is set, the API rejects embed requests coming from any origin that is not on the list — so a copied embed snippet will not run on someone else’s site.

  1. The embed reports the host page’s origin with each viewer request.
  2. The API checks it against the workspace allowlist.
  3. Origins not on the list receive HTTP 403 with the error code EMBED_DOMAIN_NOT_ALLOWED, and the embed stays empty.
  • Empty list = open. If you never configure the allowlist, the embed runs anywhere.
  • Wildcards are supported: *.example.com matches every subdomain of example.com.
  • First-party is always allowed. Togenar’s own share links, launcher pages and the panel preview keep working regardless of the list.

In the panel: Workspace → Settings → Embed → Allowed domains. Enter one domain per line, e.g.:

shop.example.com
*.example.de

Changes apply to new viewer loads immediately.

The embed renders an empty frame and the network tab shows a 403 with EMBED_DOMAIN_NOT_ALLOWED? The page’s origin is missing from the allowlist. Remember that www.example.com and example.com are different origins — list both or use a wildcard.