Skip to main content
Every time your Tip Stack widget loads, the server checks the embedding page’s origin against a list of domains you have explicitly approved. If the origin is not on your list, the widget refuses to initialize. This mechanism protects you from clickjacking and prevents other sites from embedding your tip jar without your permission.
Always whitelist your production domain before deploying the widget. Unwhitelisted embeds will silently fail for your visitors.

Why origin whitelisting exists

Without origin validation, any site on the internet could copy your embed snippet and render your Tip Stack widget on their page. A malicious actor could use this to collect tips that should be going to you, trick your audience, or execute clickjacking attacks by overlaying invisible iframes. Tip Stack enforces whitelisting at the server level on every /sdk/init request. The check happens before any session token is issued, so an unauthorized embed cannot proceed past the initialization step.

How it works

When your widget script runs, it sends a POST /api/sdk/init request that includes the embedding page’s originUrl. The Tip Stack server compares it against the list of domains you have approved in your creator dashboard:
  • Match found — a sessionToken is issued and the widget loads successfully.
  • No match — the server returns a 403 Unauthorized Origin response and the widget does not render.
localhost and 127.0.0.1 are automatically treated as trusted during local development. You do not need to add them to your whitelist.

What a blocked embed looks like

When a request is rejected, the server responds with:
{
  "error": "Unauthorized Origin",
  "message": "This domain is not authorized to embed this TipLnk widget. Please add it in your creator dashboard."
}
The widget container on the page remains empty. Visitors see nothing — there is no error displayed to them.

Add your domain

1

Open your creator dashboard

Go to tipstack.fun/dashboard and sign in with your creator account.
2

Navigate to Embedded Domains

Select Settings from the left sidebar, then click the Embedded Domains tab.
3

Enter your origin

Type the full origin of your site into the input field and click Add Domain. The origin must include the protocol and must not have a trailing slash.
https://myblog.com
https://myapp.vercel.app
https://mycreator.webflow.io
4

Save and deploy

Your new origin is active immediately — no rebuild or re-deploy is needed. Reload your embedded page to verify the widget appears.

Origin format rules

Getting the origin format exactly right is important. The server performs a strict string comparison — there is no wildcard or subdomain matching.

Correct format

Include the protocol and omit the trailing slash.
  • https://myblog.com
  • https://www.myblog.com
  • https://myapp.vercel.app
  • http://staging.internal.company.com

Will not match

These formats will fail validation even if the domain is correct.
  • myblog.com — missing protocol
  • https://myblog.com/ — trailing slash
  • https://*.myblog.com — wildcards not supported
  • myblog.com/blog — paths are not origins
www.myblog.com and myblog.com are treated as different origins. If your site serves traffic on both, add both entries separately.

Multiple domains

You can add as many whitelisted origins as you need. Common scenarios where multiple entries are useful:
ScenarioOrigins to add
Production + staginghttps://myblog.com and https://staging.myblog.com
Custom domain + Vercel previewhttps://myblog.com and https://myblog.vercel.app
www and apexhttps://www.myblog.com and https://myblog.com
Multiple content sitesOne entry per domain

Remove a domain

To revoke a domain, return to Settings → Embedded Domains, click the × next to the origin you want to remove, and confirm. Widgets embedded on that domain will stop working immediately on their next page load.
Removing a domain does not affect any active sessions that were already initialized before the removal. Those sessions remain valid until they expire.