What is domain whitelisting?
When your users authenticate via OAuth providers (like Google, Apple, GitHub) or receive magic links via email, MoonKey needs to ensure they’re redirected to legitimate domains you control. By whitelisting domains in the MoonKey Dashboard, you specify which domains are authorized for authentication flows. Once a domain is whitelisted, MoonKey automatically handles all authentication redirects to that domain—no need to configure specific URLs or paths.How it works
Simply whitelist a domain, and MoonKey takes care of the rest:- ✅
https://some-domain.com/login - ✅
https://some-domain.com/auth/callback - ✅
https://some-domain.com/welcome - ✅
https://some-domain.com/some/path
MoonKey validates the domain only—all paths under that domain are automatically allowed.
Subdomains
Each subdomain must be whitelisted separately. For example, if you whitelisthttps://some-domain.com, the subdomain https://welcome.some-domain.com will not be automatically included.
To support multiple subdomains, add each one individually:
https://some-domain.comhttps://welcome.some-domain.comhttps://app.some-domain.com
Where domain whitelisting is used
Domain whitelisting secures the following authentication methods:- OAuth authentication - Google, Apple, GitHub, Discord, Microsoft
- Magic links - Email-based passwordless authentication
- Email OTP - One-time passcode authentication flows
Configuring whitelisted domains
To whitelist domains for your app:- Log in to the MoonKey Dashboard
- Select your app from the dropdown
- Navigate to Domain Whitelisting in the sidebar
- Click Add Domain
- Enter your domain (e.g.,
https://app.some-domain.comorhttp://localhost:3000) - Click Save
Best practices
Security
- Use HTTPS in production - Never use HTTP domains in production environments
- Whitelist only what you need - Only add domains and subdomains you actively use for authentication
- Include all subdomains - Remember to whitelist each subdomain separately
- Regular audits - Review and remove unused domains periodically
Development workflow
- Localhost for development - Add
http://localhost:3000(or your local port) for development - Environment-specific domains - Create separate entries for dev, staging, and production
- Test thoroughly - Verify authentication flows work correctly before going live
Domain formats
- Include protocol - Always specify
http://orhttps:// - Port numbers - Include port numbers when necessary (e.g.,
http://localhost:3000) - No paths required - Just specify the domain; MoonKey handles all paths automatically
Example whitelisted domains
Here are common domain configurations:| Use Case | Whitelisted Domain |
|---|---|
| Production app | https://app.example.com |
| Marketing site | https://example.com |
| Staging environment | https://staging.example.com |
| Local development | http://localhost:3000 |
| Local development (custom port) | http://localhost:8080 |
Troubleshooting
Invalid domain error
If you receive an “Invalid domain” error during authentication:- Verify the domain is whitelisted in the MoonKey Dashboard
- Check that the protocol matches (
http://vshttps://) - Ensure the port number is included if using non-standard ports
- If using a subdomain, verify it’s whitelisted separately from the main domain
Authentication redirect not working
If users aren’t being redirected after authentication:- Confirm the domain is properly whitelisted
- Check that you’re using the correct protocol (HTTPS in production)
- For localhost, ensure the port number matches your development server
- Check browser console for any redirect or CORS errors
- Verify your OAuth callback URLs match the whitelisted domain
Subdomain issues
If authentication isn’t working on a subdomain:- Verify the specific subdomain is whitelisted (subdomains are not automatically included)
- Check that the subdomain format is correct (e.g.,
https://app.example.com) - Ensure both the protocol and subdomain match exactly
- Add each subdomain separately in the dashboard