HTTP Origin

To prevent a third party from using your API Key on their website, you can list HTTP Origins that are allowed to use HTTP.
If you are deploying your application to, adding to your HTTP Origin allowlist will ensure that Origin is not included in HTTP requests: all traffic from will be rejected.

Similar to TLS certificates, HTTP Origin matching supports wildcard subdomain patterns, where the left-most sub-domain may be replaced with the special wildcard to match any such subdomain. The matches a single sub-domain, and can only appear as the left-most portion of an entry.
The URL schema is optional, and can be http://, https:// or any other schema you want to limit to. If the schema is included in the allowlist entry, the Origin must have the same schema. Furthermore, an entry with only one schema will limit requests to Origins of that schema.


Allowlist entry:https://*

Request's Origin Header:
curl -X POST \ \
  -H 'TRON-PRO-API-KEY: 25f66928-0b70-48cd-9ac6-da6f8247c663' \
  -H 'Origin:' \
  -H 'Content-Type: application/json' \
  -d '{
    "to_address": "41e9d79cc47518930bc322d9bf7cddd260a0260a8d",
    "owner_address": "41D1E7A6BC354106CB410E65FF8B181C600FF14292",
    "amount": 1000

Result: Request is allowed, because the Origin Header matches the schema.