Set up your domain redirect allowlist

At a glance: Set up a domain redirect allowlist to ensure users are redirected to verified, trustworthy domains, protecting their data and safeguarding your brand integrity.

Main image.jpgAbout the redirect allowlist

Use the redirect allowlist to define a list of specific root domains and subdomains to which link redirection is allowed, to protect your links from unauthorized redirects, phishing attacks, and fraud. Once your allowlist is active, links you create via AppsFlyer will only redirect users to web URLs whose domains are in the allowlist. Otherwise, users will be sent to the app store. The redirect allowlist applies to OneLink, single-platform attribution links via partner integration, and direct attribution links for CTV, PC, and console platforms. 

Set up your redirect allowlist

You can set up your allowlist manually or via CSV file. Before setup, it's recommended to verify your trusted domain list with your security team.

Manual setup

To set up manually:

1. From the top bar, open the account menu (email address dropdown) > Security Center

from account click security center Cropped.jpg

2. In the Redirect allowlist section, click Manage redirect allowlist.

Manage redirect allowlist with arrow.jpg

The Redirect allowlist page opens.

3. Under the Manual tab, enter a root domain or subdomain in the Domain name field, then click Add domain to list.

Manually add domains.jpg

  • Use only letters, numbers, hyphens, and periods.
  • Domains must start and end with a letter or number and can be up to 253 characters.
  • Don't add prefixes, such as https://. 

See also allowlist traits and limitations

The added domains will be displayed in the right-side list.

4. Click Save list

5. Switch on the Activate allowlist toggle.

activate allowlist.png

The allowlist will be enforced on clicks within about an hour.

Note: Once activated, the allowlist can be updated but not deactivated.

Setup via CSV file

To set up via CSV file upload:

1. From the top bar, open the account menu (email address dropdown) > Security Center

from account click security center Cropped.jpg

 

2. In the Redirect allowlist section, click Manage redirect allowlist.
Manage redirect allowlist with arrow.jpg

The Redirect allowlist page opens.

 

3. Click the CSV file tab, then follow the CSV file instructions to create a file containing your domain list.
CSV file upload.jpg

4. Upload the CSV file to the upload field.
 

  • Once the file is uploaded it will be parsed, and values will be validated.
  • Valid values will be automatically added and displayed in the right-side list.
  • Invalid values won’t be added. Information about invalid values will be displayed in the Upload status section so you can take the following action: review or fix the values and re-upload. See allowlist traits and limitations for more details.

     

5. Click Save list

6. Switch on the Activate allowlist toggle.

activate allowlist.png


Once activated the redirect allowlist will be enforced on clicks within about an hour.

Note: Once activated, the allowlist can be updated but not deactivated.

Edit the redirect allowlist

You can add or delete domains from the allowlist at any time (whether or not the list is active).

To delete a domain from the allowlist:

  1. On the right-side list, hover on the domain you want to delete and a delete icon will appear.
  2. Click the delete icon.
  3. Click Save list to save the change.

Note: Once saved, the updated redirect allowlist will be enforced on clicks within about an hour.

Traits and limitations

Trait Remarks
Setup
  • The redirect allowlist can be accessed and managed by the "Admin" and "Security" roles.
  • The redirect allowlist is at the account level and applies to all apps in the account and all AppsFlyer links.
  • The redirect allowlist is free to use; however, Zero and Welcome plan subscribers must have a payment method on file to access the feature. The redirect allowlist is not available to team members associated with multiple accounts if an account lacks a payment method.
  • Notify coworkers and stakeholders managing AppsFlyer link creation about redirect allowlist enforcement and the permitted redirect domains.
Applicability
  • The allowlist affects all links created via AppsFlyer, either with OneLink, single-platform attribution links via partner integration, or direct attribution links for CTV, PC, and console platforms, whether they were created before or after the allowlist was activated.
  • Include in the allowlist the domains of any URL set as a value on the link redirection setup specified here, whether it's a custom website/landing page, the Google Play/App Store, or another app store website. The allowlist supports and protects redirections for the following:
     
    • Link parameters:
       
      • af_r
      • af_web_dp
      • af_ios_url
      • af_android_url
    • OneLink template redirection setup for iOS, Android, and Desktop.
    • af_dp with a web URL value, however, this is not a recommended value type. This parameter is intended to populate a URI scheme to open your app.
Domains
  • The allowlist must include at least one domain.
  • Only root domains or subdomains are allowed, not specific paths. Don't include `https://` or `http://` protocols in the value.
  • When adding a root domain, it will apply to all subdomains within the root domain.
    For example, if the root domain "website.com" is added, it will cover "abc.website.com" and "xyz.website.com" as well.
  • Don't include AppsFlyer domains (e.g., onelink.me, app.appsflyer.com) or other domains that have their own redirection mechanism (e.g., bit.ly) to fortify the predictability of the redirection of your links.
  • Up to 100 domains/subdomains can be added to the allowlist. You can view the number of domains already added by going to the redirect allowlist, where the number of domains is indicated.
Redirection

If you’re unsure whether a domain your link redirects to is allowed: 

Review the allowlist to make sure it’s included.

Or

Use the Link Discovery tool. When a link is entered, an alert will appear in the Parameters column (under Redirection) if a domain isn’t in the allowlist.