Embeds
Whitelist Domains
Retrieve or update the list of domains allowed to embed your data app (GET to list, PUT to update).
GET
Manage the domains that are allowed to embed your data app. Only requests from whitelisted domains can load embedded dashboards and metrics. Use GET to retrieve the current list and PUT to update it.
Returns the current list of whitelisted domains for your data app.
Domain whitelisting is a security feature. Requests from non-whitelisted origins are rejected even with a valid API key or guest token. See Domain Whitelisting for more context.
Endpoints
- GET – List whitelist domains
- PUT – Update whitelist domains
Authentication
All requests must include your data app API key in theAuthorization header. See the data app creation guide and the API Token guide.
Headers
Bearer token for API authentication. Use your data app API key.
Required for PUT only. Must be
application/json.GET – Query parameters
None.PUT – Request Body
Array of domain strings. Each entry must be one of:
- A valid domain with at least two labels (e.g.
app.example.com) - A wildcard subdomain (e.g.
*.example.com) - An IPv4 address with optional port (e.g.
192.168.1.1or192.168.1.1:3000) localhostwith optional port (e.g.localhostorlocalhost:8080)
http:// or https://. Pass an empty array [] to clear all whitelisted domains.Response
GET response
Array of whitelisted domain strings. Empty array if none are set.
PUT response
Examples
Error codes
| Error Code | HTTP Status | Description |
|---|---|---|
INVALID_DATA_APP_API_KEY | 400 | Missing or invalid data app API key |
INVALID_SERVICE_TOKEN | 400 | Invalid or expired token; cannot resolve company context |
INVALID_REQUEST_BODY | 400 | Invalid or malformed domains (e.g. protocol included, invalid format) |
INTERNAL_SERVER_ERROR | 500 | Unexpected server error |