Skip to main content

How does the API whitelisting work?

  • Updated

All clients must have their IP addresses whitelisted to use the Hydrogen APIs. This is needed for any server that will be authenticating the APIs, which includes any client that will be using the Hydrogen No-Code Web Components and/or No-Code Mobile WebViews.

There is a required OAuth 2.0 authentication of the Hydrogen APIs when embedding the no-code applications. Please see the No-Code Quickstart Guide for more details on using this service. Since the no-code applications will be embedded on your website or mobile app, they require extra layers of security to properly validate your access.

To do this, please go to “API Keys and Whitelists” under the settings panel on the top right of your Hydrogen portal:

api_keys_whitelists.png

You will need to add the following values before you can start hitting any Hydrogen APIs and then embedding the no-code components into your website or app:

  1. IP Whitelists: The server(s) that is calling the Hydrogen API to authenticate and get a token must be whitelisted on this page for security. Please add the static IP4 of your server(s) to the input box. If you have more than one IP4 to whitelist, please separate them with commas. e.g. 111.22.333.4, 222.33.444.5
  2. Domain Whitelists: The domain(s) that you will be hosting the HTML or Javascript embed code client-side must also be added to this page, otherwise you will receive a CORS Access Control restriction error. For local development, we don't accept localhost as a domain, but we have exempted http://localhost:7029 for our sample apps. If you change your port to 7029 you shouldn't receive CORS errors. If you have more than one domain, please separate them with commas. e.g. domain1.com, domain2.com

There are a few common errors with API whitelisting:

  • Error: CORS “No Access-Control-Allow-Origin” is present

    • Fix: This occurs when you are not whitelisting the correct domain.

  • Error: 403 “Forbidden” error accessing any API

    • Fix: Your server is accessing our APIs in a geography or manner that violates our security policy. Only U.S. and Canadian servers are allowed. Please use a U.S. cloud provider.

  • Error: 401 error accessing any API "Your IP is not whitelisted. Please contact Hydrogen support to whitelist your ip."

    • Fix: Whitelist your server's IP using the instructions above.

Learn More

How do I troubleshoot a 'CORS policy' error when I try to deploy a Web Component or Mobile WebView?

Can I whitelist more than one IP address to hit the Hydrogen APIs?

How do I generate an app token for the API?

Related articles