Subdomain allowlist

By default, Clerk supports authentication across subdomains. When you configure a root domain for production, your application and the Frontend API⁠ (FAPI) can communicate across all subdomains of that domain. To enable this, FAPI accepts cross-origin requests from any subdomain of your root domain.

While this enables broad subdomain support, it increases exposure to potential security risks. If an attacker compromises one of your subdomains (e.g., app.example.com), they may be able to leverage that access to compromise authentication flows on your primary application domain (e.g., example.com).

For this reason, it is strongly recommended to enable Allowed Subdomains in production environments. Unless your application requires wildcard subdomain access, you should explicitly allowlist only the subdomains your application needs. When Allowed Subdomains is enabled, only your primary domain and explicitly allowlisted subdomains can make cross-origin requests to FAPI. All other subdomains are rejected.

Configure allowed subdomains

1. In the Clerk Dashboard, navigate to the Allowed Subdomains⁠ page.
2. Toggle on Enable allowed subdomains. This restricts access to specific subdomains of your configured domains.
3. Under Allowed Subdomains, enter each subdomain that belongs to your primary domain (e.g. app.example.com for primary domain example.com). Only these subdomains will be allowed to make cross-origin requests to the FAPI. Your primary domain is always allowed.
4. Save your changes.

After enabling this setting, FAPI will reject cross-origin requests from any subdomain that is not on the allowlist.

Disabling Enable allowed subdomains restores wildcard access across all subdomains of your primary domain, which increases your exposure to subdomain-based attacks.