Domain verification proves you actually own your site / domain. Due to the transparency of your API keys, we want to make sure third-parties cannot misuse your domain and brand by limiting access from your keys to your verified domain.

This helps prevent phishing for your users and will help mitigate third-parties from using your domain and brand to send traffic to us with your API keys.

Fortmatic uses the Referer header to determine the caller’s domain details. Your domain could be restricting the referer from being sent with requests due to the Referrer-Policy setting. If this is the case, we recommend setting your Referrer-Policy to no-referrer-when-downgrade.

To verify a domain, go to your Dashboard:

Verification Methods

For all verification methods there will be step-by-step instructions provided on your Dashboard. Below is an overview of the methods offered and a quick primer on which might be a good fit for your setup.

Meta Tag

The fastest option if you have a deployed and publicly accessible landing page. This method will grant access only to the requested domain and its subpaths. Requests from paths not encompassed by the subpath, as well as subdomains will be rejected.

Examples If example.com is verified: ✅example.com/app/login ✅example.com/app2/login ❌ sub.example.com

If example.com/app is verified: ✅ example.com/app/login ❌ sub.example.com ❌ example.com/app2/login

Page Upload

Page upload will enable you to verify your domain if you don’t have access to your DNS settings. This method will grant access only to the requested domain and its subpaths. Requests from paths not encompassed by the subpath, as well as subdomains, will be rejected and will not work with your Production API key.

Examples If example.com is verified: ✅example.com/app/login ✅example.com/app2/login ❌ sub.example.com

If example.com/app is verified: ✅ example.com/app/login ❌ sub.example.com ❌ example.com/app2/login

DNS TXT Record

If you have access to your domain’s DNS settings and are able to update its TXT records, this method will be a valid option to you. Registering a domain through this method will enable the registered domain, along with all subdomains, access to your Production API key.

Example If example.com is verified: ✅ *.example.com/*