Allowed domains and redirects
Configure exact embed origins and safe return/cancel URLs for 0Gate hosted widget and redirect flows.
0Gate embed bootstrap checks browser origin against the partner's allowed domains. Return and cancel URLs should route users back to safe pages that read backend state instead of assuming checkout completion from navigation.
Domain model
| Value | Use | Rule |
|---|---|---|
| Allowed domain origin | Controls where the hosted widget can be embedded. | Exact origin match; register each production, staging, and local origin. |
return_url | Sends the user back after hosted success path. | HTTPS origin should be allowed; treat as UX navigation only. |
cancel_url | Sends the user back after abandonment or cancellation. | Route to retry or closed-attempt UX. |
| Hosted redirect origin | 0Gate-hosted page for top-level redirect. | Session client_secret is required for hosted mode. |
Configuration flow
Origin examples
| Environment | Example origin |
|---|---|
| Local dev | http://localhost:3000 |
| Staging | https://staging.example.com |
| Production app | https://app.example.com |
| Production checkout | https://checkout.example.com |
Do not rely on wildcard domains. Register every origin that will embed the widget or host return pages.
Return page pattern
export async function loadReturnPage(orderId: string) {
const order = await api.getOrder(orderId);
if (order.status === 'completed') return { view: 'success' };
if (order.status === 'failed') return { view: 'failed' };
return { view: 'processing' };
}The return page should ask your backend for state. It should not mark the order paid simply because the browser reached the route.