Only Allow Your Website/App to Use Your API Key
Your
API_KEY_ID
is most likely used in your front-end code, which may be exposed. To only allow your website or app to use your API key, you can set the Allowed Origins under Settings tab in the Dashboard.
Set Allowed Origins and Redirect URL in Settings > Allowed URLs
This will do 2 things:
- Cotter's JS SDK will only load if the parent is listed.
- If you pass in
RedirectURL
parameter, the JS SDK will only allow it if it's listed.
You will always need to specify a RedirectURL when using Cotter's Email or Phone Number verification. The RedirectURL is the deep-link to your app that is used by the in-app browser to redirect back to your app. You need to add this redirect URL to the list.
Specifically, you will need these 4 origins in your list:
://
https://js.cotter.app
myurlscheme://
myurlscheme://myhostname
Replace
myurlscheme
and myhostname
with your own scheme and hostname that you used as the RedirectURL.- Make sure you list the origin, not the full URL.
- Do not include a trailing
/
.- ✅
https://mywebsite.com
- ❌
https://mywebsite.com/
<scheme> "://" <hostname> [ ":" <port> ]
http://localhost:3000
https://dev.cotter.app
myexample://auth_callback
(for mobile app, please refer to the example above).
You can use
http://localhost:3000
for development. Remember to remove it when moving to production.To allow any parent and any RedirectURL: specify
*
in the input.