Set up your domain redirect allowlist

At a glance: Set up a domain redirect allowlist to ensure users are redirected to verified, trustworthy domains, protecting their data and safeguarding your brand integrity.

Main image.jpgOverview

Use the redirect allowlist to define a list of specific root domains and subdomains to which link redirection is allowed, to protect your links from unauthorized redirects, phishing attacks, and fraud. Once your allowlist is active, links you create via AppsFlyer will only redirect users to web URLs whose domains are in the allowlist. Otherwise, users will be sent to the app store. 

Notes

  • The redirect allowlist applies to your OneLink, single-platform attribution links via partner integration, or direct attribution links for CTV, PC, and console platforms.
  • The redirect allowlist can be accessed and managed by administrators.
  • The redirect allowlist is at the account level and applies to all apps in the account and all AppsFlyer links.
  • Before setup, verify your trusted domain list with your security team.
  • Before activation, notify coworkers and stakeholders managing AppsFlyer link creation about redirect allowlist enforcement and the permitted redirect domains.

Set up your redirect allowlist

You can set up your allowlist manually or via CSV file.

Manual setup

To set up manually:

1. From the top bar, open the account menu (email address dropdown) > Security Center

from account click security center Cropped.jpg

2. In the Redirect allowlist section, click Manage redirect allowlist.

Manage redirect allowlist with arrow.jpg

The Redirect allowlist page opens.

3. Under the Manual tab, enter a root domain or subdomain in the Domain name field, then click Add domain to list.

Manually add domains.jpg

  • Use only letters, numbers, hyphens, and periods.
  • Domains must start and end with a letter or number and can be up to 253 characters.
  • Don't add prefixes, such as https://. 

See also allowlist specifications.

The added domains will be displayed in the right-side list.

4. Click Save list

5. Switch on the Activate allowlist toggle.

activate allowlist.png


Once activated the redirect allowlist will be enforced on clicks within about an hour.

Setup via CSV file

To set up via CSV file upload:

1. From the top bar, open the account menu (email address dropdown) > Security Center

from account click security center Cropped.jpg

2. In the Redirect allowlist section, click Manage redirect allowlist.
Manage redirect allowlist with arrow.jpg

The Redirect allowlist page opens.

3. Click the CSV file tab, then follow the CSV file instructions to create a file containing your domain list.
CSV file upload.jpg

4. Upload the CSV file to the upload field.

  • Once the file is uploaded it will be parsed, and values will be validated.
  • Valid values will be automatically added and displayed in the right-side list.
  • Invalid values won’t be added. Information about invalid values will be displayed in the Upload status section so you can take the following action: review or fix the values and re-upload. See allowlist specifications for more details.

5. Click Save list

6. Switch on the Activate allowlist toggle.

activate allowlist.png


Once activated the redirect allowlist will be enforced on clicks within about an hour.

Specifications

  • To protect your links, the allowlist must be activated once set up and saved, and include at least one domain.
  • Only root domains or subdomains are allowed, not specific paths. Don't include `https://` or `http://` protocols in the value.
  • When adding a root domain, it will apply to all subdomains within the root domain.
    For example, if the root domain "website.com" is added, it will cover "abc.website.com" and "xyz.website.com" as well.
  • Don't include AppsFlyer domains (e.g., onelink.me, app.appsflyer.com) or other domains that have their own redirection mechanism (e.g., bit.ly) to fortify the predictability of the redirection of your links.
  • The allowlist affects all the links created via AppsFlyer, either with OneLink, single-platform attribution links via partner integration, or direct attribution links for CTV, PC, and console platforms, whether they were created before or after the allowlist was activated.
  • The allowlist supports and protects redirections for the following:
    • Link parameters:
      • af_r
      • af_web_dp
      • af_ios_url
      • af_android_url
    • OneLink template redirection setup for iOS, Android, and Desktop
    • af_dp with a web URL value, however, this is not a recommended value type. This parameter is intended to populate a URI scheme to open your app.
  • Up to 100 domains/subdomains can be added to the allowlist.

Edit the redirect allowlist

You can add or delete domains from the allowlist at any time (whether or not the list is active).

To delete a domain from the allowlist:

  1. On the right-side list, hover on the domain you want to delete and a delete icon will appear.
  2. Click the delete icon.
  3. Click Save list to save the change.