Allowed Domains

Restrict which websites can embed your map for security and access control.

How It Works

When allowed domains are configured, the embed iframe only loads on websites that match the domain list. Requests from other domains are rejected.

Configuring Domains

Open your project in the editor
Open the Settings panel in the editor sidebar
Add domains in the Allowed Domains section
Save

Examples

Domain entry	Matches
`example.com`	`https://example.com/*`
`*.example.com`	`https://shop.example.com/`, `https://blog.example.com/`
`localhost`	`http://localhost:*` (for development)

API Key Requirement

When allowed domains are set, the embed and SDK must include an API key:

html

<script src="https://layota.app/embed.js"></script>
<layota-map
  src="https://layota.app/embed/PROJECT_ID?apiKey=sk_..."
  style="width: 100%; height: 600px;"
></layota-map>

Or with iframe:

html

<iframe src="https://layota.app/embed/PROJECT_ID?apiKey=sk_..."></iframe>

Or with the SDK:

typescript

const map = new LayotaMap({
  container: '#map',
  projectId: 'PROJECT_ID',
  apiKey: 'sk_...',
})

See API Keys for key management.

No Domains Set

If no allowed domains are configured, the map can be embedded on any website without an API key. This is the default for new projects.

Allowed Domains ​

How It Works ​

Configuring Domains ​

Examples ​