Domain Verification
Domain verification proves you actually own your site / domain. Due to the transparency of your API keys, we want to make sure third-parties cannot misuse your domain and brand by limiting access from your keys to your verified domain.
This helps prevent phishing for your users and will help mitigate third-parties from using your domain and brand to send traffic to us with your API keys.
Fortmatic uses the Referer
header to determine the caller’s domain details. Your domain could be restricting the referer from being sent with requests due to the Referrer-Policy
setting. If this is the case, we recommend setting your Referrer-Policy
to no-referrer-when-downgrade
.
To verify a domain, go to your Dashboard:
Verification Methods
For all verification methods there will be step-by-step instructions provided on your Dashboard. Below is an overview of the methods offered and a quick primer on which might be a good fit for your setup.
Meta Tag
The fastest option if you have a deployed and publicly accessible landing page. This method will grant access only to the requested domain and its subpaths. Requests from paths not encompassed by the subpath, as well as subdomains will be rejected.
Examples If example.com is verified: ✅example.com/app/login ✅example.com/app2/login ❌ sub.example.com
If example.com/app is verified: ✅ example.com/app/login ❌ sub.example.com ❌ example.com/app2/login
Page Upload
Page upload will enable you to verify your domain if you don’t have access to your DNS settings. This method will grant access only to the requested domain and its subpaths. Requests from paths not encompassed by the subpath, as well as subdomains, will be rejected and will not work with your Production API key.
Examples If example.com is verified: ✅example.com/app/login ✅example.com/app2/login ❌ sub.example.com
If example.com/app is verified: ✅ example.com/app/login ❌ sub.example.com ❌ example.com/app2/login
DNS TXT Record
If you have access to your domain’s DNS settings and are able to update its TXT records, this method will be a valid option to you. Registering a domain through this method will enable the registered domain, along with all subdomains, access to your Production API key.
Example If example.com is verified: ✅ *.example.com/*
Last updated