# Only Allow Your Website/App to Use Your API Key Your `API_KEY_ID` is most likely used in your front-end code, which may be exposed. To only allow your website or app to use your API key, you can set the **Allowed Origins** under **Settings** tab in the [Dashboard](https://dev.cotter.app/). ![Set Allowed Origins and Redirect URL in Settings > Allowed URLs](https://107069962-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M0QGDMRD8y_Kd-BpOvT%2F-MA_VnULg4Q6NMZhKx27%2F-MA_fRiiSTFbE0LBCfAP%2Fimage.png?alt=media\&token=dc7cb369-49ae-4790-9e1d-015773a83450) #### For Websites This will do 2 things: * Cotter's JS SDK will only load if the **parent** is listed. * If you pass in `RedirectURL` parameter, the JS SDK will only allow it if it's listed. #### For Mobile Apps You will always need to specify a RedirectURL when using Cotter's Email or Phone Number verification. The RedirectURL is the deep-link to your app that is used by the in-app browser to redirect back to your app. **You need to add this redirect URL to the list.** **Specifically, you will need these 4 origins in your list:** * `://` * `https://js.cotter.app` * `myurlscheme://` * `myurlscheme://myhostname` Replace `myurlscheme` and `myhostname` with your own scheme and hostname that you used as the RedirectURL. ### How to Specify the Origins {% hint style="danger" %} * Make sure you list the **origin, not the full URL.** * **Do not include a trailing `/`**. * ✅ `https://mywebsite.com` * ❌ `https://mywebsite.com/` {% endhint %} Make sure you [follow the syntax below](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin): ``` "://" [ ":" ] ``` #### Example for Websites: * `http://localhost:3000` * `https://dev.cotter.app` * `myexample://auth_callback` (for mobile app, please refer to the example above). {% hint style="info" %} You can use `http://localhost:3000` for development. Remember to remove it when moving to production. {% endhint %} To allow **any parent and any RedirectURL:** specify `*` in the input.