Restrict Data Access to Specific Domains#

You can give specific domains and IP addresses access to your dataset APIs by specifying the domains in a given publishable API Token. After specifying an API token’s domain restriction, requests that use the API token are only valid if their HTTP referer header satisfies the domain restriction.

Note

The HTTP referer header is a result of a misspelling of the word “referrer” that has now become part of the HTTP standard

Set up a Domain Restriction#

  1. Go to API Tokens. It’s listed in your user menu.

    The API Tokens page appears, listing your tokens in order, oldest to newest.

  2. Click the Manage button next to the API token you want to set restrictions for. The Token settings page appears for the token.

  3. In the Allowed Domains field, enter the domain and/or IP address values where you want to allow requests from.

  4. When you’re done entering allowed domain values, click Done. The restriction goes into effect in about 30 seconds.

Now requests that use the token must have an HTTP referer header value that matches one of the Allowed Domains values.

Single Domain Restrictions#

A domain restriction can be a URL or an IP address. The form validates each domain restriction. If any of the domain restrictions are invalid, the Update domain button remains disabled.

Path Restrictions#

A wildcard character (“*”) is appended to all domain restrictions. This allows allow the referer to include anything in the path following the restriction. For example, the following HTTP referers are considered valid requests for the restriction www.example.com:

http://www.example.com/

http://www.example.com/app

http://www.example.com/app/user/1

http//www.example.com/app/stock

If you want to further restrict paths for the example, you can update the restriction to a longer path. So, if you set the domain restriction to www.example.com/app/stock, then these would be valid referers:

https://www.example/com/app/stock

https://www.example/com/app/stock/AAPL

The following referers, however, would not be valid under the restriction www.example.com/app/stock:

http://www.example.com/

http://www.example.com/app

Protocol Restrictions (HTTP v. HTTPS)#

If you don’t specify a protocol, both the HTTPS and HTTP protocols are allowed. If you want to limit calls to HTTPS only, prefix the restriction with https:// like this: https://www.example.com.

Under the https://www.example.com restriction, https://www.example.com/stock is a valid referer, while http://www.example.com/stock is not a valid referer.

Allowing multiple subdomains#

You can append a wildcard * character to the beginning of restrictions to support multiple subdomains. For example, the following referers are valid under restriction https://*.example.com:

https://www.example.com

https://dev.example.com

https://app.example.com

Multiple Domain Restrictions#

You can set multiple domain restrictions by separating them by a space character. For example, a restriction of www.mysite.com *.example.com allows requests from the following referers:

www.mysite.com/app

app.example.com/user

A referer need only satisfy one of the restriction’s domain patterns.

Limitations#

Please note that while restricting the HTTP referer does provide a layer of security, people can make requests with your token and spoof the referer header.