Currently, we allow app keys to have pure wildcard allowed origins (
"*"). They cannot be added anymore, but if a key had a wildcard origin from before that change was made, the key could continue to use the wildcard origin.
If your key is a legacy app key with a wildcard origin, you should see this message when visiting
On October 21st, we will be fully deprecating wildcard origins, meaning that they will be completely ignored even for legacy app keys. Apps that depend on wildcard origins to complete their auth flow may no longer work. You must remove the wildcard origin and replace it with a real allowed origin of a service you control.
Note that wildcard subdomains are not affected by this change (e.g.
For information about app key allowed origins, please see our documentation: Authorization