Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.openbridge.shop/llms.txt

Use this file to discover all available pages before exploring further.

Your Storefront API token is public by default — anyone who has it can use it from any website. To limit which domains can call the Storefront API with your token, manage the Allowed Origins list in your OpenBridge dashboard.

Why restrict origins?

Storefront tokens are designed to be embedded in client-side code, so they’re inherently visible to anyone viewing your site. That’s normally fine — but if a token is scraped and reused on a different site, you may want to block it. Restricting origins gives you:
  • Domain-level access control — only your own sites can use the token
  • Wildcard support*.example.com covers every subdomain
  • Local developmentlocalhost works out of the box

Manage origins

Open the dashboard:

Dashboard → Origins

Add, remove, and toggle origin restrictions
You can also reach this from the Manage Allowed Origins button on the OpenBridge embedded Shopify app.

How it works

OpenBridge inspects the Origin header on every incoming Storefront API request. When restrict mode is on, the request is matched against your allowed list.

Restrict mode

  • Off (default): every origin can use the token.
  • On: only origins on your list can use the token. Requests from other origins return 403 Forbidden.

Origin formats

FormatExampleMatches
Exact hostshop.example.comOnly shop.example.com
Wildcard subdomain*.example.comwww.example.com, shop.example.com, etc.
LocalhostlocalhostLocal development
With portlocalhost:3000A specific local port
Origins are normalized to lowercase, without protocol (https://) or trailing slashes. HTTPS://Example.com/ becomes example.com.

Limits

  • Up to 10 origins per shop.
  • Origins are matched against the Origin header sent by the browser — server-side calls without an Origin header still go through when restrict mode is off.

Common patterns

Production site only 
example.com
www.example.com
Production + staging + local dev 
example.com
www.example.com
*.staging.example.com
localhost
localhost:3000
Multi-tenant SaaS 
*.app.example.com
example.com

Troubleshooting

Restrict mode is on and the request’s Origin doesn’t match any entry on your list. Add the origin in the dashboard, or temporarily turn off restrict mode while you debug.
Wildcards only work as the leftmost label. *.example.com is valid; shop.*.com is not.
Restriction is based on the Origin header, which only browsers attach. A curl or backend request typically has no Origin and is allowed through. Use admin-side authentication if you need to block server-side use.