🔒
Domain Whitelisting
Lock your widget to specific domains so only your sites can use your API quota. Middleware-level enforcement — no client-side workarounds possible.
echosdk.com/dashboard — App Settings
Allowed Origins
✓https://myapp.com
✓https://staging.myapp.com
✗https://malicious-site.com
Blocked🛡️ Server-Side Enforcement
Origin validation happens in the API middleware before any AI processing. Blocked requests never reach your knowledge base or consume quota.
- ✓ Origin header verification
- ✓ Zero quota consumption on blocked requests
- ✓ Cannot be bypassed client-side
⚙️ Flexible Rules
Add as many domains as you need. Works with wildcards for subdomains. Manage everything from your dashboard with instant effect.
- ✓ Multiple domains per app
- ✓ Instant changes — no redeploy
- ✓ Staging and production separation
🔑 API Key Isolation
Each app has its own API key and whitelist. A compromised key on one site cannot affect your other apps or domains.
- ✓ Per-app key rotation
- ✓ Complete isolation between apps
- ✓ Audit log of blocked attempts
💡 Zero Config Default
Leave the whitelist empty during development and testing. Add domains when you go to production. No changes to your widget code needed.
- ✓ Open by default for dev
- ✓ Lock down at go-live
- ✓ No widget code changes required