# Only Allow Your Website/App to Use Your API Key

Your `API_KEY_ID` is most likely used in your front-end code, which may be exposed. To only allow your website or app to use your API key, you can set the **Allowed Origins** under **Settings** tab in the [Dashboard](https://dev.cotter.app/).

![Set Allowed Origins and Redirect URL in Settings > Allowed URLs](/files/-MA_fRiiSTFbE0LBCfAP)

#### For Websites

This will do 2 things:

* Cotter's JS SDK will only load if the **parent** is listed.
* If you pass in `RedirectURL` parameter, the JS SDK will only allow it if it's listed.

#### For Mobile Apps

You will always need to specify a RedirectURL when using Cotter's Email or Phone Number verification. The RedirectURL is the deep-link to your app that is used by the in-app browser to redirect back to your app. **You need to add this redirect URL to the list.**&#x20;

**Specifically, you will need these 4 origins in your list:**

* `://`
* `https://js.cotter.app`
* `myurlscheme://`
* `myurlscheme://myhostname`

Replace `myurlscheme` and `myhostname` with your own scheme and hostname that you used as the RedirectURL.

### How to Specify the Origins

{% hint style="danger" %}

* Make sure you list the **origin, not the full URL.**
* **Do not include a trailing `/`**.&#x20;
  * ✅ `https://mywebsite.com`&#x20;
  * ❌ `https://mywebsite.com/`
    {% endhint %}

Make sure you [follow the syntax below](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin):

```
<scheme> "://" <hostname> [ ":" <port> ]
```

#### Example for Websites:

* `http://localhost:3000`
* `https://dev.cotter.app`
* `myexample://auth_callback` (for mobile app, please refer to the example above).

{% hint style="info" %}
You can use `http://localhost:3000` for development. Remember to remove it when moving to production.
{% endhint %}

To allow **any parent and any RedirectURL:** specify `*` in the input.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.cotter.app/protecting-your-account/only-allow-your-website-app-to-use-your-api-key.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.