Prefer exact hosts
Use api.example.com when one known API hostname is sufficient.
API allowlist best practices
A destination allowlist should describe reviewed public API hosts—not URLs, public suffixes, arbitrary domains, or private networks. ThrottleProxy keeps plain entries exact and wildcard entries to one explicit subdomain level.
Practical boundaries
Use api.example.com when one known API hostname is sufficient.
Use *.example.com only when multiple immediate subdomains are genuinely required.
*.example.com matches api.example.com, not example.com or v1.api.example.com.
Do not include schemes, credentials, ports, paths, query strings, or fragments.
Top-level domains, public suffixes, wildcard-only patterns, and hosted platform suffixes are too broad.
An allowlist match still must pass protocol, port, DNS, private-range, metadata, and self-target checks.
No. Plain host entries are exact-host only.
No. It matches exactly one subdomain label, such as api.example.com, and not example.com.
No. The resolved target must also pass protocol, port, DNS, private-network, metadata, and loop-protection checks.
Use one workspace key, one exact public host, and non-sensitive test traffic.