How do I restrict my key to specific domains?

Use Domain controls to choose which websites your API keys are allowed to run on. Add an allow list so only your own sites can use your key, block specific domains, or both. Domain controls are available on any paid plan.

What domain controls do

Domain controls give you two lists, and both apply to every key on your account (your master key and any sub-keys):

• Allowed domains is an allow list. As soon as it has any domains on it, only those domains can use your key. Every other website is turned away.
• Blocked domains is a block list. Any domain you add here is turned away, whether or not you also use an allow list.

A domain can't be on both lists at once.

Set up an allow list

1. Sign in and open Domain controls.
2. Under Allowed domains, add each website that may use your key, for example mysite.com. You can add up to 50.
3. Click Save.

You don't need to add the www. version separately. Adding mysite.com also allows www.mysite.com.

Block specific domains

To turn a website away, add it under Blocked domains. A blocked domain is refused on every key on your account, master and sub-keys alike, whether or not you also use an allow list.

What happens when a domain is turned away

When domain controls refuse a request, the plugin shows it as an invalid-key message even though the key itself is fine. It was the domain that wasn't allowed, not the key. See How do I fix an invalid or revoked API key?.

See also

• What are sub-keys and how do I create them?
• Does SlashImage work on localhost or a staging site?
• How do I fix an invalid or revoked API key?