Skip to main content

Allowed origins

By the end of this page you'll have locked your widget to the exact origins where it's supposed to run — and nowhere else.

Before you start

  • A bot you've already created (see Create your first bot).
  • The full list of origins (scheme + host + optional port) where you plan to embed the widget.

What an origin is

An origin is the triple scheme://host[:port]. These are all distinct origins:

  • https://acme.example
  • https://www.acme.example
  • https://staging.acme.example
  • http://localhost:3000

If you serve the same site on both the apex and the www subdomain, you need both entries — the browser treats them as different origins.

The field

FieldTypeDefaultDescription
allowedOriginsstring[][]Allowlist of site origins where the widget is permitted to load its config.

The field lives on widgetConfig alongside the appearance fields. An empty array means the widget loads nowhere by design — set it before you go live.

Example — a staging/production pair

{
  "allowedOrigins": [
    "https://acme.example",
    "https://www.acme.example",
    "https://staging.acme.example"
  ]
}

How it's enforced

When the widget boots on a page, it fetches /v1/public/bots/{publicId}/config from the MimicBot API. Your allowedOrigins list is the allowlist the enforcement layer reads from when it checks the browser's Origin header on that request.

  • Empty list → treat this as the "not configured yet" state — set it before you go live.
  • One or more entries → only exact matches should be considered in-scope. Subdomains are not wildcarded: https://acme.example and https://www.acme.example are two different entries.
  • localhost during development → add http://localhost:PORT explicitly if you want the widget to render in local dev.
Enforcement not yet wired up

The allowedOrigins field is persisted on your bot record and surfaced in the public config endpoint, but the public endpoint currently returns Access-Control-Allow-Origin: * unconditionally — it does not yet reject requests whose Origin header falls outside your allowlist. Allowlist enforcement is tracked on the Roadmap. Keep the list accurate today so the switch-over is a no-op when enforcement lands.

Setting the list

Pass allowedOrigins in widgetConfig when you create the bot:

curl -X POST https://api.mimicbot.app/api/bots \
  -H "Authorization: Bearer $MIMICBOT_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Acme Support Bot",
    "clientUrl": "https://acme.example",
    "widgetConfig": {
      "allowedOrigins": [
        "https://acme.example",
        "https://www.acme.example"
      ]
    }
  }'

To edit the list after creation, use Settings → Allowed origins in the dashboard. A dedicated PATCH surface for widgetConfig is on the roadmap.

Next

→ Assistant persona