TSTrackStack
HomeDocsPricingBlogChangelogSign inGet started
Back to blog
ProductMarch 18, 2026·4 min read·TrackStack Team

Domain allowlisting for public API keys

TrackStack public keys ship in client bundles. Domain allowlisting restricts which origins can send events — a basic security control every production app should configure.

  • API keys
  • security
  • allowlist
  • origins

On this page

  1. Public keys are intentionally public
  2. What to allowlist
  3. Environment separation
  4. Failure symptoms
  5. Configure workflow

Problem: Your NEXT_PUBLIC_TRACKSTACK_KEY is visible in the browser bundle. Someone copies it and sends junk events from another site, polluting your delivery logs and potentially your ad platform data.

Public keys are intentionally public

Client-side SDKs require a key in the browser — same as Stripe publishable keys or PostHog project keys. Security comes from origin restrictions and server-side validation, not from hiding the key.

TrackStack validates Origin and Referer against your allowlist. Unlisted domains are rejected before entering the delivery pipeline.

What to allowlist

Add every domain where your app runs: production, staging, and localhost:3000 for local dev with real keys.

Include apex and www if both serve the app. Add Vercel preview domains or use a separate staging key.

Environment separation

Use different projects or keys for production and staging. Production allowlists should be tight. Never reuse production keys in public sandboxes.

Rotate keys after accidental exposure — allowlisting limits blast radius.

Failure symptoms

If events stop after a domain change, check allowlist first. New custom domains and preview URLs are common causes.

Delivery logs show 403 for blocked origins.

Configure workflow

Manage keys and allowed origins under Settings → Configure alongside destination credentials.

Key takeaways

  • Public keys belong in client bundles — restrict abuse with domain allowlisting, not secrecy.
  • Allowlist production, staging, and dev origins explicitly; use separate keys per environment.
  • After domain or hosting changes, verify allowlist before assuming tracking is broken.

Sources

Official documentation and references cited in this article.

  • Cloudflare — Workers documentation

More in Product

Product4 min read

Using PostHog and TrackStack together

PostHog answers product questions; TrackStack delivers conversions to ad platforms. Here is how to run both without duplicate scripts, conflicting proxies, or split event schemas.

Read post
Product4 min read

Delivery logs: debug CAPI like you debug API requests

Every conversion should leave an HTTP trail. Delivery logs show platform responses, payloads, and retries — so you fix match issues before wasting ad spend.

Read post
Product4 min read

Configure: map canonical events to ad platforms

The Configure split separates credentials, per-platform event allowlists, and checklists from generic settings — so you ship destinations without tag manager indirection.

Read post

Ready to fix your conversion pipeline?

Install the TrackStack SDK, route events to Meta and Google, and verify delivery from one dashboard.

Get started freeView quickstart

© 2026 TrackStack. First-party conversion infrastructure.

DocsPricingBlogChangelog