> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bkstr.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Domain allowlist

> Control which websites can embed your Bookster chat widget

The domain allowlist controls which websites are authorized to load your chat widget. The widget will only appear on pages served from domains in your allowlist.

## Configure allowed domains

1. Go to **Settings** → **Widget** in your admin dashboard
2. Under **Allowed domains**, add each domain where you want the widget to appear
3. Click **Save**

## Domain formats

| Format          | Matches           | Example                                  |
| --------------- | ----------------- | ---------------------------------------- |
| `example.com`   | Exact domain only | `example.com`                            |
| `*.example.com` | All subdomains    | `app.example.com`, `staging.example.com` |

<Warning>
  `*.example.com` does **not** match `example.com` itself. If you want both, add both `example.com` and `*.example.com`.
</Warning>

## Common setups

<Tabs>
  <Tab title="Single domain">
    ```
    example.com
    ```
  </Tab>

  <Tab title="Domain + subdomains">
    ```
    example.com
    *.example.com
    ```
  </Tab>

  <Tab title="With staging">
    ```
    example.com
    *.example.com
    staging.example.com
    ```
  </Tab>

  <Tab title="Local development">
    ```
    example.com
    localhost
    ```
  </Tab>
</Tabs>

## What happens when a domain isn't allowed

If someone tries to embed the widget on a domain not in your allowlist, the widget will not load and an error will be logged. Your visitors will not see any error — the chat button simply won't appear.

## Security

* Tokens generated for the widget are bound to the requesting domain
* Tokens expire after 24 hours and are automatically refreshed
* The allowlist is checked on every widget load, so changes take effect immediately
