HomeGuidesAPI Reference
ChangelogHelp CenterCommunityContact Us
Guides
ChangelogHelp CenterCommunityContact Us
Start typing to search…

Create an allowlist for your public API key

Create an allowlist for where your public keys can be used.

Add a public API key allow list to control which referrer URLs have permission to use your account's public API key. Public API keys work for all domains by default.

When you create an allowlist for your public API key, any client API calls made from referrers not on the list will be rejected; metrics are not tracked from klaviyo.js, profiles are not identified, and forms will not submit. Forms and review widgets will still display.

πŸ“˜

Allowlist settings do not restrict API calls made from Klaviyo mobile SDKs. Any API calls from our SDKs will always be allowed.

Create allowlist

  1. Navigate to your account's API keys settings page.

  2. In the Public API Key / site ID section, click Manage options.

Manage options button

  1. In the Manage Permissions modal, add the domains you want to include on the allowlist. This list has the following requirements:

    • Your list must be delimited by commas.
    • The maximum number of domains you can specify is 20.
    • Wildcards (*) can be used to target multiple subdomains of a root domain. however, you must specify the root domain explicitly.
      • You can use *.example.com to authorize any valid subdomain of example.com (e.g., www.example.com, shop.example.com, etc.).
      • To authorize the root domain https://example.com in addition to all valid subdomains, specify example.com *.example.com.
    • Different top-level domains must be enumerated.
      For example, *.example.com does not authorize www.example.fr. *.example.fr is required as a separate list entry.
    • Localhost development use cases are supported by including 127.0.0.1 or 0.0.0.0.
    • All sub-paths of a domain are authorized by authorizing the domain.
      For example, www.example.com authorizes www.example.com/support.

  2. Uncheck the Allow empty domains checkbox if you want to disallow traffic without a referrer domain, for example, for server-side traffic. This setting is enabled by default.

  3. Click Save.

πŸ“˜

If you receive an error when attempting to save your allow list settings, check for invalid hostname characters, non-comma delimiters, or referrers exceeding 20.

Review domain traffic

The allowlist tool monitors which domains have recently made client API requests using your public API key. To confirm this, open the Manage options modal in your account's API keys settings to review domain traffic from the past 7 days.

Updated 30 days ago

Did this page help you?
Power smarter
digital relationships
By entering your information and clicking β€œSign up,” you consent to receive marketing emails (such as newsletters, blog posts, webinars, event invitations and new product updates) from Klaviyo from time to time. You can unsubscribe at any time by clicking on the β€œUnsubscribe” link at the bottom of our emails. For more information on how we process your personal information and what rights you have in this respect, please see our Privacy Policy.
Terms and Privacy Trademarks Security