Control which websites are permitted to load your Gleap widget by maintaining an allowlist of trusted domains — keeping your widget secure and preventing unauthorized use of your API key.
You can configure your Allowed Domains in Project Settings → Security → Allowed Domains.
By default, the list is empty, meaning your widget can be loaded on any domain. Once you add one or more domains to the list, only those domains will be authorized to initialize the widget with your API key.
Empty list: Your widget loads on all domains without restriction.
Domains added: Only the listed domains (and their subdomains) can load your widget.
Go to Project Settings in your Gleap dashboard.
Navigate to Security → Allowed Domains.
Enter a base domain (e.g. example.com) in the input field.
Click Add domain.
Repeat for any additional domains you want to allow.
Enter only the base domain without http:// or https://. Subdomains are included automatically — for example, adding example.com will also allow app.example.com. You can also add localhost to support local development.
