Domain Allowlist

Domain Allowlist


Domain Allowlist allows your application to be secure-by-default, meaning that it establishes a strong security posture right from the start, and only permits communication with specific domains and redirect URIs that have been explicitly approved. Magic will reject all requests from domains and redirect URIs that are not part of the allowlist. This protects your public API keys from unauthorized usage.


Navigate to the Magic dashboard and select the application in which you need to add domains to the allowlist. Inside the dashboard, go to the "Settings" tab of your selected application and scroll "Allowed Origins & Redirects". In this section, you'll find a toggle button that allows you to manage the allowlist.

Once the feature is on, a text input field will be displayed. Here, you can input the domains that you want to add to the allowlist.

#New Projects

For new applications, the Domain Allowlist feature is mandatory. By default, the localhost domain is included for convenience. However, any additional domains that will make requests to Magic must be explicitly added to the allowlist.

#Existing Projects

For any existing applications created prior to December, 15 2023, the Domain Allowlist feature will not be enforced, however warning messages will appear if the domain allowlist feature is not toggled on.

While it's not mandatory to turn on this feature and add domains for existing apps, it is highly recommended. Without enabling the Domain Allowlist, your API keys remain vulnerable to unauthorized usage.


If a project attempts to utilize a public key on a domain not included in the application's allowlist, a modal will appear. This modal will notify the user that an unauthorized domain is being used and that access has not been approved for that specific domain by the application.

#Programmatic Configuration

Alternatively, domains can be added to your applications allowlist using Curl. In order to interact with the email access control list for your application using Curl, you will need a Secret Key and Client ID.

To obtain the required information, follow the steps below:

  1. On the Dashboard landing page, right-click anywhere and select Inspect
  2. Navigate to the Network tab and look for info?magic_client_id=<CLIENT_ID>
  3. Navigate to the Response tab and extract live_secret_key as your Secret Key and magic_client_id as your Client ID

Provide the Secret Key and/or Client ID in your Curl commands, along with the chosen domains for the interaction:

01curl --location --request POST '' \
02--header 'X-Magic-Secret-Key: sk_live_06FC010DA25ED4F2' \
03--header 'Content-Type: application/json' \
04--data-raw '{
05    "target_client_id": "etjubJsY5Cvn6ukDzJYpd3MEAtgw45oetxxoX1PxvP4=",
06    "domain": ""