API Key Domain Lock Tester
Validate and test your domain-locked API keys securely. Verify that your keys are only usable on allowed origins.
Test Console
Enter an API key created on portal.overturemapsapi.com to verify origin enforcement.
Response Console
Execute a request on the left to see live HTTP status and body responses.
How Domain Locking Works
Domain locking restricts your Overture API key to prevent it from being stolen and used on unauthorized websites. When a request is made, your browser attaches an Origin header pointing to your domain. Our API gateway validates this origin against your key's list of allowed domains.
Client Request
The client app makes a fetch request. The browser automatically appends the Origin header.
API Gateway Check
Overture Maps API matches the key againstallowed domains. Wildcards (e.g. *.mycompany.com) are supported.
Enforcement
If the domain matches, returns 200 OK. If it does not match, returns a strict 403 Forbidden.
How to Configure in portal.overturemapsapi.com
- Create or edit your API Key in the portal interface.
- Set the **Allowed Domains (Optional)** list (e.g.
domain-locking-test.overturemapsapi.com). - Leave it empty to allow all domains (useful for backend scripts / prototyping).