Why origin whitelisting exists
Without origin validation, any site on the internet could copy your embed snippet and render your Tip Stack widget on their page. A malicious actor could use this to collect tips that should be going to you, trick your audience, or execute clickjacking attacks by overlaying invisible iframes. Tip Stack enforces whitelisting at the server level on every/sdk/init request. The check happens before any session token is issued, so an unauthorized embed cannot proceed past the initialization step.
How it works
When your widget script runs, it sends aPOST /api/sdk/init request that includes the embedding page’s originUrl. The Tip Stack server compares it against the list of domains you have approved in your creator dashboard:
- Match found — a
sessionTokenis issued and the widget loads successfully. - No match — the server returns a
403 Unauthorized Originresponse and the widget does not render.
localhost and 127.0.0.1 are automatically treated as trusted during local development. You do not need to add them to your whitelist.
What a blocked embed looks like
When a request is rejected, the server responds with:Add your domain
Open your creator dashboard
Go to tipstack.fun/dashboard and sign in with your creator account.
Navigate to Embedded Domains
Select Settings from the left sidebar, then click the Embedded Domains tab.
Enter your origin
Type the full origin of your site into the input field and click Add Domain. The origin must include the protocol and must not have a trailing slash.
Origin format rules
Getting the origin format exactly right is important. The server performs a strict string comparison — there is no wildcard or subdomain matching.Correct format
Include the protocol and omit the trailing slash.
https://myblog.comhttps://www.myblog.comhttps://myapp.vercel.apphttp://staging.internal.company.com
Will not match
These formats will fail validation even if the domain is correct.
myblog.com— missing protocolhttps://myblog.com/— trailing slashhttps://*.myblog.com— wildcards not supportedmyblog.com/blog— paths are not origins
Multiple domains
You can add as many whitelisted origins as you need. Common scenarios where multiple entries are useful:| Scenario | Origins to add |
|---|---|
| Production + staging | https://myblog.com and https://staging.myblog.com |
| Custom domain + Vercel preview | https://myblog.com and https://myblog.vercel.app |
| www and apex | https://www.myblog.com and https://myblog.com |
| Multiple content sites | One entry per domain |
Remove a domain
To revoke a domain, return to Settings → Embedded Domains, click the × next to the origin you want to remove, and confirm. Widgets embedded on that domain will stop working immediately on their next page load.Removing a domain does not affect any active sessions that were already initialized before the removal. Those sessions remain valid until they expire.