API security & domain restriction

This section introduces methods to enhance security by restricting the IP addresses from which Platform API calls are made and the specified domains from which SDK users can connect/authenticate and use Sendbird’s SDKs. Neither of these settings is required but may be of great use depending on your security posture.

You can restrict which domains are permitted to call the Sendbird app, preventing other websites from embedding it. You can check the settings in Settings > Application > Security > Allowed domains.

To view the image in full screen, click on the

You can allow multiple domains to access the application. You may include the protocol (http:// or https://) and subdomains. You should not include port numbers after a domain, including slashes ('/').

• Suitable: https://www.example.com, http://subdomain.example.com
• Unsuitable: https://www.example.com:8080, https://example.com/

This setting applies only to SDKs that use browsers.

You can restrict the IP addresses allowed to call Sendbird's platform API, enhancing security . You can configure the settings in Settings > Application > Security > Allowed IPs for API calls.

To view the image in full screen, click on the

When enabled, API requests from unauthorized IP addresses will be rejected.