Restrict the API Token usage by domains

Describe the issue:

Hi everyone,

I was wondering if there’s a way to restrict the API Token usage to specific domains, like via CORS protection. This is for a client side project before you ask. From what I understand, if my (read only) API Token is used client-side, it could potentially be used by anyone without any domain restrictions.

I’ve already explored the project and environment settings, as well as the documentation, but I couldn’t find anything about setting up such restrictions. Does anyone know if this is possible or have any advice on how to secure the API Token in this scenario?

Thanks in advance!

Hello @a.piras

Currently, this is not possible directly on Dato. However, you can add an intermediary (like an edge middleware function) from your client to Dato and use that to set the domain rules and redirect the request to Dato on the server side. Using something like Cloudflare Workers to do a reverse proxy https://posthog.com/docs/advanced/proxy/cloudflare could help you set this up.

Or, if you think this would be a nice addition for Dato natively, you can open a feature request right here: https://community.datocms.com/c/feature-requests/22

What @m.finamor said :slight_smile:

I just wanted to note, too, that middleware or serverless worker functions are very common in frontend frameworks now, if you don’t want to use a separate provider.

For example, in Next.js, you can use API routes (Pages Router) or Route Handlers (App Router) to just define a serverless func right inside the same repo. Once deployed to Vercel or similar, it will automatically configure the serverless for you.