Restricting Public API Key to Specific Domains
# supportj
JM
04/13/2025, 2:48 PMI might be mistaken, but my understanding is that you can restrict the use of a public API key by specifying allowed domains.
I’m using the Vapi web snippet, and I want to confirm something:
If I configure my public API key to allow only www.site.com as the origin, then the assistant should not work when the Vapi snippet is embedded on a different domain — is that correct?
The reason I’m asking is because I tested this on Replit (in dev mode), where the snippet was running on a Replit preview URL. I had already set www.site.com as the only allowed origin for the API key, but the assistant still worked on Replit.
So my main question is:
How can I ensure that my public API key only works when the assistant is used from allowed domains or URLs?
I’d like to prevent it from working on any unapproved origin.
v
Vapi Support Bot
04/13/2025, 2:50 PMThanks for your question about restricting your Vapi public API key to specific domains. I've looked into this for you, but I need to get more specific information from our technical team.
While I found some general information about domain whitelisting and API key restrictions, I couldn't find the exact details on how to properly configure domain restrictions for the Vapi web snippet or why it might still be working on Replit despite your configuration.
I've escalated your question to our technical support team who can provide you with the specific steps needed to ensure your public API key only works on approved domains. They'll be able to explain why your current configuration isn't preventing usage on Replit and provide a proper solution.
Someone from our team will get back to you shortly with more detailed information. Thanks for your patience! 👍
j
JM
04/14/2025, 10:14 AMSure. I'll wait for someone to get back with more info.
k
Kyle Brunker
04/14/2025, 1:07 PMHey J.M., could you share your organization ID and the public key in DM with me? I'd like to take a look at your allowed domains and the request originating from there to see what could have possibly gone wrong.
j
JM
04/14/2025, 1:17 PMSure, though I can't see an option to DM you when I click your profile?
https://cdn.discordapp.com/attachments/1360990127165411448/1361329622343749791/Screenshot_2025-04-14_at_16.17.25.png?ex=67fe5c82&is=67fd0b02&hm=c413f0e34fd3c30b400f117cf6c6b96de52dce4e4ba2def994e2997c4486311d&
JM
04/15/2025, 11:07 AMI have DM'ed the public API to shubham.bajaj
k
Kyle Brunker
04/15/2025, 10:33 PMHe is offline can you send the message at sahil@vapi.ai?
j
JM
04/16/2025, 7:06 AMI have sent an email to sahil@vapi.ai.
s
Sahil
04/16/2025, 12:51 PMThanks, can you share the other website link where you are able to use it?
j
JM
04/16/2025, 1:52 PMI have sent it via email.
Btw, I should say that its a dev url, so the page isn't always running.
JM
04/20/2025, 11:06 AMI was able to, with the help of ChatGPT, (I am not a software dev) set up a node.js app on Replit with the JWT authentication. It is now working.
However, I would much prefer if you could get the public API key way working. While the JWT authentication is working for this current app, I have others where I've used the Vapi snippet. These other Vapi snippets are embedded into static html web pages in a learning management system (LMS), and** LMSs don't easily provide the ability to get into the Javascript and create the JWT authentication**. So, as of now, these static web pages include public api keys that are a security risk (i.e. someone can access the html, find the public api key, and use it for their own apps).
Could you please fix the allowed origins field in the public api key page in the dashboard (attached)?
https://cdn.discordapp.com/attachments/1360990127165411448/1363470778867126433/Screenshot_2025-04-20_at_14.05.18.png?ex=6806269d&is=6804d51d&hm=77f4795badde9ec821cf46ca8a14ed909dadef6685f11dc8f943b49fb52fb379&
s
Sahil
04/20/2025, 1:33 PMCan you send the public token? Will check the allowed origins from db
Sahil
04/20/2025, 1:34 PMmost likely i am thinking some issue with ui
Sahil
04/20/2025, 1:34 PMlike it didn’t saved the properly
k
Kings_big💫
04/21/2025, 8:57 AM@JM
j
JM
04/22/2025, 4:21 AM@Sahil @Kings_big💫 Thanks for getting back. I have replied to you Sahil email with screenshots of my public api key page and the key. As you will see, in my static html page, the public key is supposed to only allow a particular url, but I am able to access my assistant via another url.
PS I noticed this was marked as solved, though I think it would be better if the public api key allowed origins issue is identified and logged before it's marked as solved.
k
Kings_big💫
04/23/2025, 1:26 AMchecking if this is resolved/solved for you?
j
JM
04/25/2025, 4:25 AMThanks for checking. Still unresolved, but Sahil and I are corresponding over email.
k
Kings_big💫
04/25/2025, 6:25 AMNice
3 Views