Embedded Wallet
Embedded Wallet Security
Overview
The Coinbase Developer Platform (CDP) Portal requires you configure which domains are authorized to access CDP APIs. These domains are configured using Cross-Origin Resource Sharing (CORS), ensuring your users are protected while maintaining a seamless experience.More on CORS
More on CORS
CORS (Cross-Origin Resource Sharing) is a browser security mechanism that controls access between different web origins. An origin is defined by the combination of protocol (http/https), domain, and port.By default, browsers enforce the same-origin policy, blocking requests between different origins for security. CORS provides a way to safely relax this restriction:
- Without CORS: Your website at
https://myapp.comcannot access APIs athttps://api.cdp.coinbase.com - With CORS: The API server explicitly allows specific origins, enabling secure cross-origin communication
Example
Let’s walk through a practical example:- A dapp at
https://app.developer.comwants to send a POST request tohttps://api.cdp.coinbase.com/embedded-wallet-api/projects/{projectId}(e.g., to create a wallet). - When Coinbase Developer Platform (CDP) receives the request, it will look up the list of allowed domains for the given project ID.
- CDP queries its database and sees that the developer has configured
https://app.developer.comas an allowed domain for the project. - CDP responds to the API with the following header set, allowing the response to return successfully:
How to configure domains
1
Access CDP Portal
Navigate to the Domains Configuration in CDP Portal:
2
Add your domain
Click Add domain and enter your allowed domain and/or port (e.g., 
https://yourdapp.com in production or http://localhost:3000 for local development):Do not use
localhost for production use. Malicious apps running locally could impersonate your frontend and abuse your project credentials.Domain format requirements
Domain format requirements
- Domains must be of the form
<scheme>://<host>:<port><scheme>must be eitherhttporhttps<host>must be a valid hostname:<port>is optional for ports 80 (http) and 443 (https), but required for all other ports (e.g.,http://localhost:3000)
- Maximum of 50 domains allowed per project
3
Save your changes
Click Add domain to save. Your allowed domains will appear in the dashboard, and changes will take effect immediately:
Add all domains where your app will run: development, staging, and production.
What to read next
- Quickstart Guide: Build your first embedded wallet app in under 10 minutes
- React Hooks Reference: Learn about available hooks like
useSignInWithEmail,useEvmAddress, anduseSendEvmTransaction - React Components Guide: Explore pre-built components for authentication, wallet management, and transactions