Managing Allowed Origins for Digital Humans

this section details the process of configuring domain whitelisting for your embedded digital human this allows you to define the approved websites where the digital human is authorized to operate the https //platform api unith ai/api/#/head/headcontroller setallowedoriginsbyid endpoint controls which domains can access the digital human api the default value is , meaning that requests from any origin are permitted while convenient for initial setup, restricting allowedorigins to a whitelist of known domains is crucial for enhanced security in production deployments to whitelist domains, you must specify the unique head id, as origin whitelisting is managed individually for each digital human curl example curl x 'put' \\ 'https //platform api unith ai/head/yourheadid/allowed origins' \\ h 'accept application/json' \\ h 'authorization bearer yourbearertoken' \\ h 'content type application/json' \\ d '\[ "yourdomain" ]' restricting the origin to allow access only from https //www unith ai , configure the origins parameter as follows \[“ https //www unith ai ] to permit access from both https //www unith ai and https //www unith2 ai , use the following configuration \[“ https //www unith ai “, “ https //www unith ai “] to allow access from any origin, effectively making the digital human public again, set the origins parameter to \[“ “] iframe the same principles of origin restriction apply to embedding the digital human within an iframe to control which domains are allowed to embed the digital human via an iframe, you can manage a separate whitelist of origins specifically for iframe integration use the following endpoint https //platform api unith ai/api/#/head/headcontroller setallowediframeoriginsbyid in order to set specific domains for your digital human using id curl x 'put' \\ 'https //platform api unith ai/head/yourheadid/iframe/allowed origins' \\ h 'accept application/json' \\ h 'authorization bearer yourbearertoken' \\ h 'content type application/json' \\ d '\["www yourdomain ai"]' interface to restrict domains, you can do so within interface itself first, navigate to your "dashboard" and click the edit button (the pencil icon) on any of your deployed digital humans this will open a new window where you can control all aspects of your digital human's configuration within this window, go to the "security" section, enable the "restrict domains" toggle, and then add the specific domains you wish to restrict please be aware that when configuring allowed iframe origins /head/{id}/iframe/allowed origins , you must also include https //chat unith ai in the general allowed origins /head/{id}/allowed origins also, note that you might not be able to preview the digital human directly unless you've specified its domain in the allowed domains list when adding new domains, it's crucial to use the correct format here's an example to follow https //www unith ai to test your video only digital human in a local development environment , you must whitelist your local domains directly via the api , as the user interface (interface) does not support local domain configuration for this specific purpose to whitelist your local development url(s), use the following endpoint endpoint /head/ yourheadid /iframe/allowed origins method put description adds or updates the list of allowed origins (domains) for your digital human's iframe embedding request headers accept application/json authorization bearer \<yourbearertoken> (replace \<yourbearertoken> with your actual authentication bearer token) content type application/json request body a json array containing the local host url(s) you wish to whitelist curl example curl x 'put' \\ 'https //platform api unith ai/head/yourheadid/iframe/allowed origins' \\ h 'accept application/json' \\ h 'authorization bearer yourbearertoken' \\ h 'content type application/json' \\ d '\[ "http //localhost 3000", "http //127 0 0 1 8080" ]' replace yourheadid with the actual id of your digital human head and yourbearertoken with your valid authentication token include all relevant local development urls (e g , http //localhost 3000 , http //127 0 0 1 8080 ) that your application will use