ApiKeyAllowedOrigin
Manages Cross-Origin Resource Sharing (CORS) settings for API keys used in web browsers. When JavaScript running on a website tries to call your API, browsers enforce the same-origin policy for security - requests are blocked unless explicitly allowed. This entity defines which websites can use each API key from browser-based JavaScript, preventing unauthorized sites from making API calls even if they somehow obtain a valid key. Each origin entry includes the protocol, domain, and port (like https://app.example.com) that's permitted to use the API key. The entity also configures which HTTP methods are allowed, what headers can be sent, and how long browsers should cache these permissions. This is critical for public API keys that are embedded in client-side code, as they're visible to anyone viewing the page source. By restricting origins, you ensure that even exposed keys can only be used from your authorized domains. The system can allow all subdomains with a single rule, making it easier to manage multi-tenant applications. CORS preflight responses use this data to tell browsers whether to allow the actual API request.
Properties
| Property | Type | Mode | Description | Required |
|---|---|---|---|---|
| apiKeyId | uuid | stored | The API key these CORS settings apply to | Required |
| origin | string | stored | Allowed origin URL including protocol and port Example: | Required |
| allowSubdomains | boolean | stored | Whether all subdomains of this origin are allowed | Optional |
| allowedMethods | string | stored | Comma-separated list of allowed HTTP methods Example: | Optional |
| allowedHeaders | string | stored | Comma-separated list of allowed request headers Example: | Optional |
| exposedHeaders | string | stored | Headers that browsers can access in the response Example: | Optional |
| allowCredentials | boolean | stored | Whether cookies and auth headers can be included | Optional |
| maxAge | integer | stored | Seconds browsers should cache preflight responses Example: | Optional |
| description | string | stored | Note about why this origin is allowed | Optional |
| environment | string | enum | Which environment this origin is for Values: | Optional |
| addedAt | DateTime | stored | When this origin was authorized | Required |
| lastUsedAt | DateTime | stored | Last time a request came from this origin | Optional |
| requestCount | integer | stored | Number of requests from this origin | Optional |
| isActive | boolean | stored | Whether this origin is currently allowed | Optional |
Examples
Example 1
{
"@type": "ApiKeyAllowedOrigin",
"apiKeyId": "key_public_123",
"origin": "https://www.myapp.com",
"allowSubdomains": true,
"allowedMethods": "GET,POST,PUT,DELETE",
"allowedHeaders": "Content-Type,Authorization,X-API-Key",
"exposedHeaders": "X-RateLimit-Remaining,X-RateLimit-Reset",
"allowCredentials": true,
"maxAge": 86400,
"description": "Main production website and all subdomains",
"environment": "production",
"addedAt": "2024-01-01T00:00:00Z",
"lastUsedAt": "2024-03-15T14:30:00Z",
"requestCount": 1847293,
"isActive": true
}Example 2
{
"@type": "ApiKeyAllowedOrigin",
"apiKeyId": "key_dev_456",
"origin": "http://localhost:3000",
"allowSubdomains": false,
"allowedMethods": "GET,POST",
"allowedHeaders": "Content-Type",
"allowCredentials": false,
"maxAge": 300,
"description": "Local development environment for React app",
"environment": "development",
"addedAt": "2024-02-15T10:00:00Z",
"lastUsedAt": "2024-03-15T16:45:00Z",
"requestCount": 8234,
"isActive": true
}