AffinityBots LogoAffinityBots
Deployments

Origin Allowlists & Security

Secure public deployments with strict browser origin policies and key hygiene.

February 15, 2026
6 min read

Origin Allowlists

Each deployment has an allowed origin list.

  • Browser requests include Origin.
  • If origin is not listed, the request is rejected.
  • Non-browser/server-to-server requests can omit Origin.

Best Practices

  1. Allow only exact origins you control.
  2. Use separate deployments per environment (prod/staging).
  3. Rotate public keys after exposure incidents.
  4. Keep deployment status as draft until integration is ready.
  5. Monitor deployment traffic and error rates.

Public Key Handling

Deployment public keys are safe to expose to frontend clients, but still should be treated as integration credentials. If leaked unexpectedly, rotate the key.