Allowed domains define where the Char widget can be embedded. Char uses the page origin to find your organization and validate the user’s token, so this list is both a security boundary and a routing mechanism.
What Is an Allowed Domain? An allowed domain is a full origin (scheme + hostname + optional port):
https://app.example.com http://localhost:3000
You can list multiple origins for the same organization (production, staging, etc.).
Why It Matters If an origin isn’t allowed:
Char cannot map the request to your organization
the widget refuses to authenticate the user
embedding fails for that domain
This prevents unauthorized sites from embedding your widget and using your organization’s IDP configuration.
Configuration Set allowed domains in the Char dashboard:
Open Settings → Integration
Add each allowed origin under Allowed Domains
Save your changes
Matching Rules
Exact match only — wildcards are not supportedInclude the protocol (https:// or http://)Include the port if you use one
Valid
https://app.example.comhttps://staging.example.comhttp://localhost:3000
Invalid
example.com (missing protocol)https://*.example.com (wildcards not supported)https://example.com/ (trailing slash) localhost and 127.0.0.1 are always allowed for development. You do not need to add them explicitly.
