Whitelist Settings

The Whitelist Settings section allows you to configure domain and URL authorization for enhanced security. Web3Auth requires explicit whitelisting of domains and URLs that are authorized to use your project's Web3Auth SDK, providing protection against unauthorized usage and potential security threats.

Domain Authorization Overview

Domain whitelisting is a critical security feature that prevents unauthorized applications from using your Web3Auth project credentials. Only domains and URLs explicitly added to your whitelist can successfully authenticate users through your Web3Auth configuration.

Security Benefits

Prevents Credential Theft: Unauthorized sites cannot use your Client ID
Protects User Data: Ensures authentication flows only occur on approved domains
Compliance Ready: Meets security standards for production applications
Fraud Prevention: Blocks malicious sites from impersonating your application

Web Application Whitelisting

Supported URL Formats

Web3Auth supports various URL formats for comprehensive domain coverage:

Standard Domains:

https://myapp.com
https://www.myapp.com
https://app.mycompany.com

Development Environments:

http://localhost:3000
http://localhost:8080
https://dev.myapp.com
https://staging.myapp.com

Subdomain Patterns:

https://*.myapp.com (covers all subdomains)
https://feature-*.myapp.com (wildcard patterns)

Port-Specific URLs:

https://myapp.com:8443
http://localhost:3000
http://127.0.0.1:8080

Adding Web Domains

Navigate to Project Settings → Whitelist
Click "Add Domain" or similar button
Enter the complete URL including protocol (http:// or https://)
Verify the domain if required
Save the configuration

Best Practices:

Always use HTTPS for production domains
Include all necessary subdomains
Add development and staging environments
Test authentication after adding domains

Mobile Application Whitelisting

Bundle Identifiers

For mobile applications, whitelist the app's bundle identifier or package name:

iOS Bundle IDs:

com.yourcompany.yourapp
com.yourcompany.yourapp.staging

Android Package Names:

com.yourcompany.yourapp
com.yourcompany.yourapp.debug

Deep Link Schemes

Mobile applications using deep links should whitelist their custom URL schemes:

Custom Schemes:

yourapp://auth
com.yourcompany.yourapp://callback

Universal Links (iOS):

https://yourapp.com/auth/callback

App Links (Android):

https://yourapp.com/auth/callback

Environment-Specific Configuration

Development Environment

For development and testing:

http://localhost:3000
http://localhost:8080
http://127.0.0.1:3000
https://dev.yourapp.com
https://staging.yourapp.com

Development Tips:

Whitelist common development ports
Include both localhost and 127.0.0.1
Add staging and testing environments
Use HTTP for local development (HTTPS for staging)

Production Environment

Production Requirements

For Sapphire Mainnet projects, at least one domain must be whitelisted before the SDK can be used in production. This is a mandatory security requirement.

Production Checklist:

✅ All production domains whitelisted
✅ HTTPS enforced for all domains
✅ Subdomain coverage complete
✅ Mobile bundle IDs added
✅ Deep link schemes configured
✅ Remove development URLs

Wildcard Domains

Subdomain Wildcards

Use wildcard patterns to cover multiple subdomains efficiently:

Single-level wildcard:

https://*.myapp.com

Covers: https://api.myapp.com, https://admin.myapp.com, https://user.myapp.com

Multi-level wildcards:

https://*.*.myapp.com

Covers: https://api.v1.myapp.com, https://admin.staging.myapp.com

Dynamic Subdomains

For applications with dynamic subdomains (multi-tenant apps):

https://*.myapp.com
https://tenant-*.myapp.com
https://*.saas.myapp.com

Verification Process

Domain Verification

Some domains may require verification to ensure ownership:

DNS Verification: Add a TXT record to your domain's DNS
File Upload: Upload a verification file to your web server
HTML Meta Tag: Add a meta tag to your website's homepage

Verification Status

Monitor the verification status in your dashboard:

✅ Verified: Domain is confirmed and active
⏳ Pending: Verification in progress
❌ Failed: Verification unsuccessful, requires attention

Common Issues and Solutions

Authentication Failures

Problem: Users cannot authenticate on your domain Solutions:

Verify the domain is in your whitelist
Check for typos in the domain name
Ensure protocol (http/https) matches exactly
Confirm subdomain patterns are correct

Development Environment Issues

Problem: Local development not working Solutions:

Add http://localhost:PORT to whitelist
Include http://127.0.0.1:PORT as alternative
Check if your development server uses a different port
Verify protocol matches (http vs https)

Mobile App Issues

Problem: Mobile authentication failing Solutions:

Verify bundle ID matches exactly
Check deep link scheme configuration
Ensure URL schemes are properly whitelisted
Test with both debug and release builds

Security Best Practices

Regular Audits

Monthly Reviews: Check whitelist for unused domains
Remove Stale Entries: Delete old development or staging URLs
Monitor Access: Review authentication patterns for anomalies
Update Documentation: Keep domain lists current for your team

Principle of Least Privilege

Minimal Domains: Only whitelist necessary domains
Specific Patterns: Avoid overly broad wildcard patterns
Environment Separation: Use different projects for dev/staging/prod
Regular Cleanup: Remove domains when no longer needed

Compliance Considerations

Data Residency: Consider where authentication occurs
Privacy Regulations: Ensure whitelisted domains comply with privacy laws
Security Standards: Meet industry requirements for domain authorization
Audit Trails: Maintain records of domain modifications

Advanced Configuration

CDN and Load Balancer Support

For applications using CDNs or load balancers:

https://cdn.myapp.com
https://lb.myapp.com
https://edge-*.myapp.com

Multi-Region Deployments

For global applications with regional domains:

https://us.myapp.com
https://eu.myapp.com
https://asia.myapp.com
https://*.global.myapp.com

API Gateway Integration

For applications behind API gateways:

https://api.myapp.com
https://gateway.myapp.com
https://*.api.myapp.com

Next Steps

Project Settings - Configure basic project information
Advanced Project Settings - Access advanced configuration options
Session Management - Control session duration and behavior

Connect to MetaMask

Create embedded wallets

Create smart accounts

Extend and scale

MetaMask SDK

Wallet API

React SDK

Vue SDK

JavaScript SDK

Node SDK

Unity SDK

Android SDK

iOS SDK

React Native SDK

Flutter SDK

Unreal SDK

Delegation Toolkit

Services

Snaps

Domain Authorization Overview​

Security Benefits​

Web Application Whitelisting​

Supported URL Formats​

Adding Web Domains​

Mobile Application Whitelisting​

Bundle Identifiers​

Deep Link Schemes​

Environment-Specific Configuration​

Development Environment​

Production Environment​

Wildcard Domains​

Subdomain Wildcards​

Dynamic Subdomains​

Verification Process​

Domain Verification​

Verification Status​

Common Issues and Solutions​

Authentication Failures​

Development Environment Issues​

Mobile App Issues​

Security Best Practices​

Regular Audits​

Principle of Least Privilege​

Compliance Considerations​

Advanced Configuration​

CDN and Load Balancer Support​

Multi-Region Deployments​

API Gateway Integration​

Next Steps​