Create an allow list for your public API key
Create an allow list for where your public keys can be used.
Add a public API key allow list to control which referrer URLs have permission to use your account's public API key. Public API keys work for all domains by default.
When you create an allow list for your public API key, any client API calls made from referrers not on the list will be rejected; metrics are not tracked from klaviyo.js, profiles are not identified, and forms will not submit. Forms and review widgets will still display.
Allow list settings do not restrict API calls made from Klaviyo mobile SDKs. Any API calls from our SDKs will always be allowed.
Create allow list
-
Navigate to your account's API keys settings page.
-
In the Public API Key / site ID section, click Manage options.
-
In the Manage Permissions modal, add the domains you want to include on the allow list. This list has the following requirements:
- Your list must be delimited by commas.
- The maximum number of referrers is 20.
- Wildcards (*) can be used to target multiple subdomains.
For example,*.klaviyo.comauthorizesdevelopers.klaviyo.com,www.klaviyo.com,status.klaviyo.com, etc. - Different top-level domains must be enumerated.
For example,*.klaviyo.comdoes not authorizewww.klaviyo.fr.*.klaviyo.fris required as a separate list entry. - Localhost development use cases are supported by including
127.0.0.1or0.0.0.0. - All subpaths of a domain are authorized by authorizing the domain.
For example,www.klaviyo.comauthorizeswww.klaviyo.com/support.
-
Click Save.
If you receive an error when attempting to save your allow list settings, check for invalid hostname characters, non-comma delimiters, or referrers exceeding 20.
Review domain traffic
The allow list tool monitors which domains have recently made client API requests using your public API key. To confirm this, open the Manage options modal in your account's API keys settings to review domain traffic from the past 7 days.
Updated about 23 hours ago