How matching works
Allowlist entries are matched on the exact hostname, case-insensitive. Subdomains are not implied: allowingapi.example.com does not allow sandbox.example.com. Wildcards are not
supported. Register each hostname you call.
Register a destination
201 with the created entry. A hostname that is already registered returns 409; a
value that is not a bare public hostname (a URL, a host with a port or path, an IP address,
or a wildcard) returns 422 INVALID_HOSTNAME.
account_code is optional. Left null (the default), the destination is allowed for every
account in your organization. Set it to a specific account id to scope the destination to
that account only — the host is then usable solely on proxy requests made under that account.
List your destinations
{"destinations": [ ... ]} — only the destinations registered for your account.
Remove a destination
204. Removing a destination takes effect immediately — the next proxy request to
that host is rejected.
Treat new-destination alerts seriouslyAdding a destination is a sensitive action: it widens where your cards can be sent. Yuno
recommends restricting who can manage the allowlist and reviewing any unexpected additions.