> ## Documentation Index > Fetch the complete documentation index at: https://spreecommerce.org/docs/llms.txt > Use this file to discover all available pages before exploring further. # Create an allowed origin > Adds an origin to the admin CORS allowlist. The value must be a bare `scheme://host[:port]` (no path, query, or fragment) and use `http` or `https`. **Required scope:** `write_settings` (for API-key authentication). ## OpenAPI ````yaml /api-reference/admin.yaml post /api/v3/admin/allowed_origins openapi: 3.0.3 info: title: Admin API contact: name: Spree Commerce url: https://spreecommerce.org email: hello@spreecommerce.org description: > Spree Admin API v3 - Administrative API for managing products, orders, and store settings. ## Authentication The Admin API requires a secret API key passed in the `x-spree-api-key` header. Secret API keys can be generated in the Spree admin dashboard. ## Response Format All responses are JSON. List endpoints return paginated responses with `data` and `meta` keys. Single resource endpoints return a flat JSON object. ## Resource IDs Every resource is identified by an opaque string ID (e.g. `prod_86Rf07xd4z`, `variant_k5nR8xLq`, `or_UkLWZg9DAJ`). Use these IDs everywhere — URL paths, request bodies, and Ransack filters all accept them directly. ## Error Handling Errors return a consistent format: ```json { "error": { "code": "validation_error", "message": "Validation failed", "details": { "name": ["can't be blank"] } } } ``` version: v3 servers: - url: http://{defaultHost} variables: defaultHost: default: localhost:3000 security: [] tags: - name: Authentication description: Admin user authentication - name: Product Catalog description: Products, variants, and option types - name: Orders description: >- Order management — orders, items, payments, fulfillments, refunds, gift cards, store credits - name: Customers description: Customer management — profiles, addresses, store credits, credit cards - name: Configuration description: Store configuration — payment methods, tag autocomplete paths: /api/v3/admin/allowed_origins: post: tags: - Configuration summary: Create an allowed origin description: |- Adds an origin to the admin CORS allowlist. The value must be a bare `scheme://host[:port]` (no path, query, or fragment) and use `http` or `https`. **Required scope:** `write_settings` (for API-key authentication). parameters: - name: x-spree-api-key in: header required: true schema: type: string - name: Authorization in: header required: true description: Bearer token for admin authentication schema: type: string requestBody: content: application/json: schema: type: object properties: origin: type: string example: https://admin.example.com required: - origin responses: '201': description: allowed origin created content: application/json: example: id: ao_gbHJdmfrXB origin: https://admin.example.com created_at: '2026-06-05T13:11:38.223Z' updated_at: '2026-06-05T13:11:38.223Z' schema: $ref: '#/components/schemas/AllowedOrigin' '422': description: validation error content: application/json: example: error: code: validation_error message: Origin is invalid details: origin: - is invalid schema: $ref: '#/components/schemas/ErrorResponse' security: - api_key: [] bearer_auth: [] x-codeSamples: - lang: javascript label: Spree Admin SDK source: |- import { createAdminClient } from '@spree/admin-sdk' const client = createAdminClient({ baseUrl: 'https://your-store.com', secretKey: 'sk_xxx', }) const origin = await client.allowedOrigins.create({ origin: 'https://admin.example.com', }) components: schemas: AllowedOrigin: type: object properties: id: type: string origin: type: string created_at: type: string updated_at: type: string required: - id - origin - created_at - updated_at x-typelizer: true ErrorResponse: type: object properties: error: type: object properties: code: type: string example: record_not_found message: type: string example: Record not found details: type: object description: Field-specific validation errors nullable: true example: name: - is too short - is required email: - is invalid required: - code - message required: - error example: error: code: validation_error message: Validation failed details: name: - is too short email: - is invalid securitySchemes: api_key: type: apiKey name: x-spree-api-key in: header description: Secret API key for admin access bearer_auth: type: http scheme: bearer bearerFormat: JWT description: JWT token for admin user authentication ````