> ## Documentation Index
> Fetch the complete documentation index at: https://algolia.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Approved domains

> Restrict which origins can call an Agent Studio agent's completion endpoint.

<Callout icon="flask-conical" color="#14b8a6">
  This is a **beta feature** according to [Algolia's Terms of Service ("Beta Services")](https://www.algolia.com/policies/terms/).
</Callout>

Use approved domains to restrict which origins can call an agent's `/completions` endpoint.
Each agent has a list of approved domains.

* If the approved domains list is empty, requests from any origin are accepted.
* If the approved domains list has entries, only requests whose `Origin` header or referrer matches an approved domain are accepted: all others receive a `403`.

## Approved domain matching

Approved domains are matched against the request's `Origin` (or referrer) header:

| Pattern    | Example                     | Matches                                              |
| ---------- | --------------------------- | ---------------------------------------------------- |
| Exact host | `myapp.example.com`         | `https://myapp.example.com`                          |
| Full URL   | `https://myapp.example.com` | Matches `myapp.example.com`                          |
| Wildcard   | `*.example.com`             | Any subdomain, for example `https://sub.example.com` |

Matching is case-insensitive.
An empty approved domains list stops the check for that agent.

## Add approved domains

This operation requires an API key with the `editSettings` [ACL](/doc/guides/security/api-keys#rights-and-restrictions).

For example, to add a domain to an agent's approved list:

```sh Command line icon=square-terminal theme={"system"}
curl -X POST "https://$ALGOLIA_APPLICATION_ID.algolia.net/agent-studio/1/agents/$AGENT_ID/allowed-domains" \
  -H 'Content-Type: application/json' \
  -H "x-algolia-application-id: $ALGOLIA_APPLICATION_ID" \
  -H "x-algolia-api-key: $ALGOLIA_API_KEY" \
  -d '{ "domain": "https://myapp.example.com" }'
```

### Add multiple domains

For example:

```sh Command line icon=square-terminal theme={"system"}
curl -X POST "https://$ALGOLIA_APPLICATION_ID.algolia.net/agent-studio/1/agents/$AGENT_ID/allowed-domains/bulk" \
  -H 'Content-Type: application/json' \
  -H "x-algolia-application-id: $ALGOLIA_APPLICATION_ID" \
  -H "x-algolia-api-key: $ALGOLIA_API_KEY" \
  -d '{ "domains": ["https://app2.example.com", "*.allowed.com"] }'
```

<Note>
  The API skips duplicates for the same agent.
</Note>

## List approved domains

```sh Command line icon=square-terminal theme={"system"}
curl "https://$ALGOLIA_APPLICATION_ID.algolia.net/agent-studio/1/agents/$AGENT_ID/allowed-domains" \
  -H "x-algolia-application-id: $ALGOLIA_APPLICATION_ID" \
  -H "x-algolia-api-key: $ALGOLIA_API_KEY"
```

### Response

```json JSON icon=braces theme={"system"}
{
  "domains": [
    {
      "id": "8b77f421-4a22-4405-a01a-49f21631e56b",
      "domain": "https://myapp.example.com",
      "createdAt": "2026-04-27T12:00:00Z",
      "updatedAt": "2026-04-27T12:00:00Z"
    }
  ]
}
```

## Remove approved domains

<Tabs>
  <Tab title="Remove one domain">
    ```sh Command line icon=square-terminal theme={"system"}
    curl -X DELETE "https://$ALGOLIA_APPLICATION_ID.algolia.net/agent-studio/1/agents/$AGENT_ID/allowed-domains/$DOMAIN_ID" \
      -H "x-algolia-application-id: $ALGOLIA_APPLICATION_ID" \
      -H "x-algolia-api-key: $ALGOLIA_API_KEY"
    ```
  </Tab>

  <Tab title="Remove several domains">
    Bulk delete by a list of domain ids:

    ```sh Command line icon=square-terminal theme={"system"}
    curl -X DELETE "https://$ALGOLIA_APPLICATION_ID.algolia.net/agent-studio/1/agents/$AGENT_ID/allowed-domains/bulk" \
      -H 'Content-Type: application/json' \
      -H "x-algolia-application-id: $ALGOLIA_APPLICATION_ID" \
      -H "x-algolia-api-key: $ALGOLIA_API_KEY" \
      -d '{ "domain_ids": ["8b77f421-4a22-4405-a01a-49f21631e56b"] }'
    ```
  </Tab>
</Tabs>

## Blocked requests

If a request's `Origin` header or referrer doesn't match an approved domain, the API returns a `403` response:

```json JSON icon=braces theme={"system"}
{
  "message": "Request blocked for this domain"
}
```

If the approved domains list has entries, requests without an `Origin` header or referrer are also blocked.

<Note>
  If you're using the [Algolia dashboard's Agent Studio playground](/doc/guides/algolia-ai/agent-studio/how-to/dashboard), add the dashboard domain (`https://dashboard.algolia.com/`) to the approved list.
  Otherwise, playground requests are blocked.
</Note>

## See also

* [Agent configuration](/doc/guides/algolia-ai/agent-studio/how-to/agent-configuration)
* [Agent Studio REST API reference](/doc/rest-api/agent-studio)
