Allowed origins

The widget runs in any browser that loads your snippet. To make sure only your websites can use it, configure the Allowed Origins list. Anything outside the list is rejected by the Pegasus backend with "This website is not authorized to use this widget."

Allowed origins editor with two URLs

How origins are matched#

An origin is the protocol + domain + (optional) port:

• https://example.com
• https://app.example.com
• http://localhost:3000

Match is exact. https://example.com does not include https://www.example.com — add both if you serve both.

Adding an origin#

1. Open the Allowed Origins section

   On the bot's Embed tab.

2. Type the URL

   Use the full origin with protocol. The input rejects invalid URLs with "Enter a valid URL (e.g. https://example.com)".

3. Click Add

   The origin appears in the list immediately.

Removing an origin#

Click the trash icon next to an origin to remove it. Effective immediately — visitors on that origin will be blocked from new sessions.

Empty list = no restriction#

If the list is empty, Pegasus shows "No restrictions — any domain can load this widget." Any site that has your snippet can use it. This is fine for testing but not recommended for production.

Local development#

For local development add http://localhost:3000 (or your local port). Some browsers fingerprint file:// URLs as unmatched — use a local web server, not a file path.

Subdomain wildcards#

Wildcards (*.example.com) are not supported today. List each subdomain you want to allow.

What happens to existing sessions when you remove an origin?#

Active visitor sessions on the removed origin can finish their current message but cannot start new sessions. New page loads on that origin are blocked.