Appearance
Configuring allowed domains
To secure use of your client-side Privy App ID, we strongly recommend setting allowed domains for any application in production. This is a security best practice that prevents arbitrary applications from reusing your Privy App ID in their own site.
TIP
You should always restrict allowed domains for any production application. This step is not necessary for the Privy App ID you use in staging, development, or local environments.
To configure allowed domains for your app, go to the Privy dashboard and select your production app from the dropdown in the left sidebar. Then, navigate to the Configuration page, and scroll to the Domains section.
Under Allowed Origins, list the domains that will use your production Privy App ID, separated by commas, spaces, or breaks.
Please note:
- The protocol (
https) is required. - Trailing paths (
/path) are not supported. - Wildcards (
*) are only supported as a subdomain (*.domain.com), but not as a domain alone (*.com). - Partial wildcards of the form
*-sometext.domain.comare not supported. - Localhost (
http://localhost:port) is supported but you must specify theportnumber.
TIP
Though supported, we do not recommend listing localhost as an allowed domain for production apps. If you need to temporarily list localhost as an allowed domain for your production app ID, please take care to remove it when not developing.
INFO
Setting allowed domains restricts client-side access to your Privy app ID only. Privy's REST API endpoints that you would query from your backend are gated by your app secret, which should never be exposed on a user's client.
Supporting preview URLs
Many hosting providers (e.g. Vercel) support preview deployment URLs to make it easy to test changes, like:
ts
// Matches the pattern *.netlify.app, which anyone with a free Netlify account can deploy to
deploy-preview-id--yoursitename.netlify.appFor security reasons, we do not allow whitelisting domains with a generic pattern that are commonly used for these preview deployments, such as:
https://*.netlify.app/https://*.vercel.apphttps://*-projectname.netlify.app/https://*-projectname.vercel.app
Any project can deploy to a domain that matches https://*.netlify.app, https://*.vercel.app, or similar. If you were to whitelist this domain for your production App ID, any actor could set up any arbitrary deployment with your hosting provider and can use your production App ID within their site.
If you'd like to secure your Privy App ID on preview deployment URLs, please check if your hosting provider allows you to map preview deployments to a stable subdomain that only you control, like:
ts
// Matches the pattern *.yoursitename.netlify.app, which only members of your Netlify account
// (or hosting provider) can deploy to
deploy-preview-42<b>.yoursitename.netlify.app</b>This allows you to list https://*.yoursitename.netlify.app under allowed domains, which arbitrary actors cannot deploy to. See instructions to set this up with Vercel or Netlify.
TIP
Allowed domains are primarily recommended for production applications. If your preview deployments use a development Privy app ID, feel free to leave Allowed Origins empty to support use of your app ID in previews without the setup above.