Skip to main content

Allowed website domains (CORS)

Because the publishable browser token ships in your page source, JourneyLayer lets you restrict which website origins are allowed to send events with it. This is the Allowed website domains list.

Where to set it

Settings → SDK / Install → Allowed domains. Add each origin that serves your site.

How matching works

  • The check uses the browser's Origin (scheme + host), e.g. https://www.yourdomain.com.
  • Empty list = allow any origin. If you add nothing, every origin is accepted (useful while getting started).
  • List every origin you serve from:
    • apex and wwwyourdomain.com and www.yourdomain.com
    • any staging / marketing domains
    • localhost if you test locally
  • Wildcards are supported for subdomains: *.yourdomain.com.
  • Mobile apps and server‑side requests carry no browser Origin and are never blocked by this list.

What happens when an origin isn't allowed

The event request is rejected with HTTP 403 (origin_not_allowed). The website keeps working — only the event is dropped. If you see 403s on event POSTs, the page's origin isn't in the list. See Troubleshooting → Event POST 403.

Add www and staging

The most common mistake is adding yourdomain.com but not www.yourdomain.com, or forgetting the staging origin. Events from a missing origin are silently 403'd.

Changes take effect quickly

The allowlist is cached briefly on the server (about a minute), so edits apply within ~60 seconds.