Secure your publishable API key by whitelisting domains for REST API Calls for a given publishable key
All IEX Cloud users can restrict calls made to IEX Cloud with a publishable API token to only those calls that have an HTTP referer header that matches the criteria set by the user (NB: the http referer header is a result of a misspelling of the word ‘referrer’ that has now become part of the HTTP standard).
To set this domain restriction for any publishable key, navigate to the API Tokens section of the IEX Cloud Console. Click the Manage button next to the API Key you want to set the domain restriction for. When you click the button a section appears where you can restrict the domains for that key in the “Manage domains” form. For Business plan users and legacy Grow and Scale users, this section also allows you to enable signed requests.
Once you specify your restricted domain(s) for the associated key in the input field, simply click the “Update domain” button, and the restriction will go into effect within 30 seconds or so.
Single Domain Restrictions
A domain restriction can be a URL or an actual IP address. The form checks each domain restriction to ensure it is a valid input. If any of the inputted domain restrictions are not valid you will not be able to hit the “Update domain” button to update the restriction.
Any domain restriction automatically appends a wildcard (“*”) to the end of the domain that allows the referer to include anything in the path following the restriction. So, for example, if you put in a restriction of ‘www.example.com’, all these HTTP referers would be considered valid requests:
If you want to further restrict the path, you can update your restriction to a longer path. So, if you set the domain restriction to ‘www.example.com/app/stock’, then these would be valid referers:
while these would not be valid referers under the restriction ‘www.example.com/app/stock’:
Protocol Restrictions (HTTP v. HTTPS)
If you don't specify a protocol then we will automatically allow for referers with both the HTTPS and HTTP protocol. If you wanted to specify only HTTPS you should include it in the restriction like so - ‘https://www.example.com’. Under this restriction, ‘https://www.example.com/stock’ would be a valid referer, while ‘http://www.example.com/stock’ would NOT be a valid referer.
Allowing multiple subdomains
You can append a wildcard ‘*’ character at the beginning of restrictions to allow for multiple subdomains. So, for example, if you have a restriction of ‘https://*.example.com’, then the following would all be valid referers:
Multiple Domain Restrictions
To set multiple domain restrictions simply separate each one with a single space. So, for example, if I set a restriction of
it would allow requests with referers such as:
As the example demonstrates, when multiple restrictions are set, any referer that is valid under any of the constraints will be considered valid
Please note that while restricting the HTTP referer does provide a layer of security, someone could make a request with your token and spoof the referer header.
Users who want a more robust security feature may want to utilize signed requests.