I created a public api key and set the Allowed Origins to a given url. But when I tested it by using the public api key in a local file (using file:// url ), it still works. The call was instantiated successfully, whereas ideally it should not have worked except when the file is hosted on the given url. It seems that the allowed origins setting was ignored. Please assist. https://cdn.discordapp.com/attachments/1375751825784967280/1375751826061660192/Screenshot_2025-05-24_at_1.55.15_PM.png?ex=6832d43b&is=683182bb&hm=20c1ad955fa70acce344fea68b0c2c313eac2eb43bf0a780b824fb9481c62c69&

Hey, can you share me network request? Like, whats the response that you are getting?

Sure. Attached is the network request. The first 2 (vapi.html and index.js) are when the page gets loaded locally from file:// url. The requests after that are when I click on the green call button and as you can see, I am able to make the call. I am using a public api key which I have created with allowed origins fixed to a certain domain name, but i am able to make this call even from a local html file on my laptop. If you need more info, i can send you the public api key and the assistant id and maybe even the html file itself, so that you can also test it from any laptop. https://cdn.discordapp.com/attachments/1375751825784967280/1375947149325369464/Screenshot_2025-05-25_at_2.43.32_AM.png?ex=68338a24&is=683238a4&hm=874857c037ce17cf05219f4947800df4d212a24954dc1d14bec948cc0697a14c&

Can you show me the response for web request?

Hi, which web request response do you want to see? The file vapi.html is being loaded from my local directory, so there is no web request. So I have attached the source code of this html file which is same as the source code mentioned on https://github.com/VapiAI/client-sdk-html-script-tag When I click on the green call button, then multiple network requests are made by your javascript client sdk.

It appears that the "Allowed Origins" restriction may not be enforced for requests made from local files (

file://

URLs), which is a common limitation in browser security models and CORS enforcement. To clarify if this is expected behavior or a potential issue, I recommend reaching out directly to Vapi support at [support@vapi.ai](support@vapi.ai) with your API key details and a description of your test scenario for further investigation and guidance. Source: - [Vapi Support](https://docs.vapi.ai/support)

Hello @anisrixyz, could you please share your allowed orgID and public key Index with me? I would like to attempt to determine why your allowed domains are not working for you by reviewing the logs.