Approved domains

This is a beta feature according to Algolia’s Terms of Service (“Beta Services”).

Use approved domains to restrict which origins can call an agent’s /completions endpoint. Each agent has a list of approved domains.

If the approved domains list is empty, requests from any origin are accepted.
If the approved domains list has entries, only requests whose Origin header or referrer matches an approved domain are accepted: all others receive a 403.

Approved domain matching

Approved domains are matched against the request’s Origin (or referrer) header:

Pattern	Example	Matches
Exact host	`myapp.example.com`	`https://myapp.example.com`
Full URL	`https://myapp.example.com`	Matches `myapp.example.com`
Wildcard	`*.example.com`	Any subdomain, for example `https://sub.example.com`

Matching is case-insensitive. An empty approved domains list stops the check for that agent.

Add approved domains

This operation requires an API key with the editSettings ACL. For example, to add a domain to an agent’s approved list:

Command line

curl -X POST "https://$ALGOLIA_APPLICATION_ID.algolia.net/agent-studio/1/agents/$AGENT_ID/allowed-domains" \
  -H 'Content-Type: application/json' \
  -H "x-algolia-application-id: $ALGOLIA_APPLICATION_ID" \
  -H "x-algolia-api-key: $ALGOLIA_API_KEY" \
  -d '{ "domain": "https://myapp.example.com" }'

Add multiple domains

For example:

Command line

curl -X POST "https://$ALGOLIA_APPLICATION_ID.algolia.net/agent-studio/1/agents/$AGENT_ID/allowed-domains/bulk" \
  -H 'Content-Type: application/json' \
  -H "x-algolia-application-id: $ALGOLIA_APPLICATION_ID" \
  -H "x-algolia-api-key: $ALGOLIA_API_KEY" \
  -d '{ "domains": ["https://app2.example.com", "*.allowed.com"] }'

The API skips duplicates for the same agent.

List approved domains

Command line

curl "https://$ALGOLIA_APPLICATION_ID.algolia.net/agent-studio/1/agents/$AGENT_ID/allowed-domains" \
  -H "x-algolia-application-id: $ALGOLIA_APPLICATION_ID" \
  -H "x-algolia-api-key: $ALGOLIA_API_KEY"

Response

JSON

{
  "domains": [
    {
      "id": "8b77f421-4a22-4405-a01a-49f21631e56b",
      "domain": "https://myapp.example.com",
      "createdAt": "2026-04-27T12:00:00Z",
      "updatedAt": "2026-04-27T12:00:00Z"
    }
  ]
}

Remove approved domains

Remove one domain
Remove several domains

Command line

curl -X DELETE "https://$ALGOLIA_APPLICATION_ID.algolia.net/agent-studio/1/agents/$AGENT_ID/allowed-domains/$DOMAIN_ID" \
  -H "x-algolia-application-id: $ALGOLIA_APPLICATION_ID" \
  -H "x-algolia-api-key: $ALGOLIA_API_KEY"

Bulk delete by a list of domain ids:

Command line

curl -X DELETE "https://$ALGOLIA_APPLICATION_ID.algolia.net/agent-studio/1/agents/$AGENT_ID/allowed-domains/bulk" \
  -H 'Content-Type: application/json' \
  -H "x-algolia-application-id: $ALGOLIA_APPLICATION_ID" \
  -H "x-algolia-api-key: $ALGOLIA_API_KEY" \
  -d '{ "domain_ids": ["8b77f421-4a22-4405-a01a-49f21631e56b"] }'

Blocked requests

If a request’s Origin header or referrer doesn’t match an approved domain, the API returns a 403 response:

JSON

{
  "message": "Request blocked for this domain"
}

If the approved domains list has entries, requests without an Origin header or referrer are also blocked.

If you’re using the Algolia dashboard’s Agent Studio playground, add the dashboard domain (https://dashboard.algolia.com/) to the approved list. Otherwise, playground requests are blocked.

​Approved domain matching

​Add approved domains

​Add multiple domains

​List approved domains

​Response

​Remove approved domains

​Blocked requests

​See also

Approved domain matching

Add approved domains

Add multiple domains

List approved domains

Response

Remove approved domains

Blocked requests

See also