The domain allowlist controls which websites are authorized to load your chat widget. The widget will only appear on pages served from domains in your allowlist.
Configure allowed domains
- Go to Settings → Widget in your admin dashboard
- Under Allowed domains, add each domain where you want the widget to appear
- Click Save
Domain formats
| Format | Matches | Example |
|---|
example.com | Exact domain only | example.com |
*.example.com | All subdomains | app.example.com, staging.example.com |
*.example.com does not match example.com itself. If you want both, add both example.com and *.example.com.
Common setups
Single domain
Domain + subdomains
With staging
Local development
example.com
*.example.com
example.com
*.example.com
staging.example.com
What happens when a domain isn’t allowed
If someone tries to embed the widget on a domain not in your allowlist, the widget will not load and an error will be logged. Your visitors will not see any error — the chat button simply won’t appear.
Security
- Tokens generated for the widget are bound to the requesting domain
- Tokens expire after 24 hours and are automatically refreshed
- The allowlist is checked on every widget load, so changes take effect immediately
