To prevent unauthorized parties from using your API key to create Dynamic Links that redirect from your domain to sites you don't own, you should specify the URLs your Dynamic Links can redirect to.
To specify the allowed URLs, click
> Allowlist URL patternfrom the Dynamic Links
page of the Firebase
console, and then specify up to
10 regular expressions using RE2 syntax
. Only URLs
that match one of these regular expressions can be successfully used as a deep
link ( link
) or fallback link ( afl
, ifl
, ipfl
, ofl
) for a Dynamic Links
. If
you specify URL patterns, any URL that doesn't match one of the patterns will
cause your Dynamic Links
to return HTTP error 400.
You should make your URL patterns as restrictive as possible. For example:
| Too permissive | Better |
|---|---|
| Can redirect to any page on any site ending with |
Can redirect only to pages at |
| Can redirect to any app's Google Play Store page. |
Can redirect only to Google Play
Store
pages for the app with the
package name |
| Can redirect to any page on |
Can redirect only to the App Store page for the app with the ID |
You can make sure a deep link and fallback links for a Dynamic Links match one of your URL patterns by viewing the debug page for Dynamic Links and verifying there are no warnings:
https://example.page.link/WXYZ ?d=1
