Managing Allowed Origins for Digital Humans
This section details the process of configuring domain whitelisting for your embedded digital human. This allows you to define the approved websites where the digital human is authorized to operate.
Access to the origin whitelisting functionality is restricted to specific premium subscription tiers.
The /head/{id}/allowed-origins endpoint controls which domains can access the digital human API. The default value is *, signifying that requests from any origin are permitted. While convenient for initial setup, restricting allowedOrigins to a whitelist of known domains is crucial for enhanced security in production deployments.
To whitelist domains, you must specify the unique head ID, as origin whitelisting is managed individually for each digital human.
To specify the domains authorized to load the digital human, use the following endpoint /head/{id}/allowed-origins. This endpoint allows you to manage the whitelist of origins that can interact with a specific digital human identified by {id}. By default, all origins are permitted; however, configuring this whitelist is highly recommended for production environments.
Use the following format of the body in order to specify domains
To allow access only from https://www.unith.ai, configure the origins parameter as follows:
To permit access from both https://www.unith.ai and https://www.unith2.ai, use the following configuration:
To allow access from any origin, effectively making the digital human public again, set the origins parameter to:
The same principles of origin restriction apply to embedding the digital human within an iframe.
To control which domains are allowed to embed the digital human via an iframe, you can manage a separate whitelist of origins specifically for iframe integration.
Use the following endpoint /head/{id}/iframe/allowed-origins in order to set specific domains for your digital human using id.
