Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.schemagen.io/llms.txt

Use this file to discover all available pages before exploring further.

Domain locking lets you control exactly which domains are permitted to receive schemas from your SDN client. When domain locking is enabled, the SDN checks the requesting domain against your allowlist before returning any schema data. Requests from domains not on the list are rejected entirely.
Domain locking is available on the Agency plan ($99/mo) only. If you’re on the Free or Pro plan, all domains can request schemas from your client by default. Upgrade to Agency to enable domain locking.

Why domain locking matters

Your SDN client ID is embedded in your site’s script tag. In principle, anyone who finds that client ID could point their own site at your SDN client and load your published schemas. Domain locking prevents this by enforcing an allowlist at the edge—before any schema data is returned. Use domain locking to:
  • Prevent schema leakage to unauthorized sites or competitors
  • Protect client schemas when managing schemas for multiple client websites under a single agency account
  • Enforce delivery boundaries when your client ID is used across staging, production, and third-party domains

How the SDN enforces domain locking

When a page loads your SDK script tag, the SDK calls the inject API: 
GET /api/inject?clientId=YOUR_CLIENT_ID&url=https://yoursite.com/page
The SDN reads the Origin header of this request. If domain locking is enabled for the client and the requesting origin is not in your allowlist, the SDN returns a 403 Forbidden response. No schema data is included in the response. The SDK silently handles the blocked response—your site continues to function normally, just without schema injection on that domain.

Configuring domain locking

1

Open Client Settings

In your SchemaGen dashboard, navigate to Clients and select the client you want to protect. Click Settings to open the client configuration panel.
2

Go to the Domains tab

Inside Client Settings, select the Domains tab. This is where you manage the allowlist for SDN delivery.
3

Add your allowed domains

Click Add Domain and enter each domain that should be permitted to receive schemas from this client. Add your production domain first, then any staging or preview environments you want to allow.
4

Save your settings

Click Save. Domain locking activates immediately—requests from domains not on your list are blocked from this point forward.

Supported domain formats

You can add domains in the following formats:
FormatExampleWhat it matches
Exact domainexample.comOnly example.com
Wildcard subdomain*.example.comAny subdomain: www.example.com, staging.example.com, etc.
Subdomain + wildcardstaging.example.comOnly staging.example.com
Use wildcard entries (*.example.com) when you want to cover all subdomains of a root domain—for example, if your agency uses preview URLs like client-preview.youragency.com across multiple projects.
After saving your domain settings, test delivery from each allowed domain to confirm schemas are being injected correctly. Open your browser’s developer tools, load a page where a published schema is targeted, and check the Network tab for a successful response from /api/inject. A 200 response means delivery is working; a 403 means the domain is not on the allowlist.

What an unauthorized request looks like

If a domain that is not on your allowlist attempts to load schemas from your client, the SDN blocks the request: 
GET /api/inject?clientId=YOUR_CLIENT_ID&url=https://unauthorized-site.com/page
→ 403 Forbidden
The SDK handles this gracefully—no errors are thrown on the page, and the site loads normally without schema injection. Your published schemas remain private to your approved domains.

Removing or updating domain entries

To update your allowlist at any time:
  1. Go to Clients → Settings → Domains
  2. Remove or edit any existing entries
  3. Add new domains as needed
  4. Click Save
Changes to your domain allowlist take effect immediately. If you remove a domain that was previously allowed, the SDN begins blocking requests from that domain on the next SDK call.
If you remove your own production domain from the allowlist by mistake, schema delivery to your live site will stop immediately. Keep your production domain on the list at all times, and double-check your entries before saving.