Origin guard & rate limiting
Promptly protects your widget endpoints in two ways: an origin guard that restricts which websites may load your widget, and rate limiting that throttles abusive traffic. Both run automatically — you only need to configure the list of domains you trust.
Origin guard (allowed domains)
By default, with no domains configured, your widget responds to requests from any origin (this keeps first-time setup simple). Once you add one or more domains to your Allowed domains list, the guard activates: the widget only answers requests coming from those domains, and requests from any other origin are rejected with a
403How a request is judged:
- The browser-enforced Origin header is checked first. Browsers set this automatically and a page cannot fake it, so it is the most trustworthy signal.
- If there is no Origin header, Promptly falls back to a header (sent by the embedded widget) or thetext
X-Parent-Origin. These are convenience fallbacks.textReferer - Turn on Require strict origin to reject those fallbacks entirely and accept only a genuine browser Origin. This is the strongest setting.
Domain matching rules:
- — exact hostname match (port ignored for production domains).text
example.com - — matches any subdomain (e.g.text
*.example.com) but not the baretextapp.example.com.textexample.com - ,text
localhost, andtext127.0.0.1are treated as equivalent; you can pin a port withtext::1or allow any port with baretextlocalhost:3000.textlocalhost
When a whitelist is set, requests with no Origin or Referer at all are blocked.
🖼️ [Image] — The widget settings panel showing the Allowed domains list and the "Require strict origin" toggle.
Add the domains where your widget will actually run — see Embedding the widget.
Rate limiting
Promptly throttles requests per minute to absorb spikes and block abuse. Limits are applied by category:
- Widget chat (sending messages) and start-conversation requests are limited per visitor IP, since AI replies are expensive and new-conversation calls are a common spam vector.
- Dashboard / tenant API calls are limited per account.
- Login, registration, and password-reset routes have their own stricter per-IP windows to stop credential-stuffing and signup abuse.
When a limit is exceeded, Promptly returns
429 Too Many RequestsRetry-After403You do not configure these limits; they protect every account automatically.