Configure embed origins

Allowlist exact browser origins and return URLs before embedding or redirecting to 0Gate.

Origin and return URL configuration protects hosted flows from being mounted or redirected from unapproved web properties. Configure these values before production traffic.

Use exact origins

Treat origin allowlists as security controls. Avoid wildcard thinking, broad domains, temporary tunnel URLs in live mode, or unreviewed customer-controlled redirect targets.

Configuration model

Values to register

Value	Example shape	Rule
Local development origin	`http://localhost:3000`	Sandbox only.
Staging origin	`https://staging.example.com`	Separate from production.
Production origin	`https://app.example.com`	Exact scheme and host.
Return URL	`https://app.example.com/checkout/return`	Server-backed status page.
Cancel URL	`https://app.example.com/checkout/cancel`	Server-backed retry or close page.

Implementation checklist

List every web origin that will mount the widget.
List every return and cancel URL that 0Gate can redirect to.
Separate sandbox, staging, and production values.
Remove tunnel, preview, and test URLs before launch.
Keep outcome pages server-backed so they read trusted state.

const allowedReturnUrls = new Set([
  'https://app.example.com/checkout/return',
  'https://app.example.com/checkout/cancel',
]);

function assertReturnUrl(url: string) {
  if (!allowedReturnUrls.has(url)) {
    throw new Error('return_url_not_allowed');
  }
}

Configure return URLs and outcome pages

Build status pages that verify server state.

Embed the 0Gate widget

Mount the hosted iframe from an approved origin.

Use hosted redirect & WebViews

Use top-level redirect when iframe embedding is not right.