Allow specific URL patterns
To prevent unauthorized parties from using your API key to createDynamic Links thatredirect from your domain to sites you don't own, you should specify the URLsyourDynamic Links can redirect to.
To specify the allowed URLs, click> Allowlist URL patternfrom theDynamic Links page of theFirebase console, and then specify up to10 regular expressions usingRE2 syntax. Only URLsthat match one of these regular expressions can be successfully used as a deeplink (link) or fallback link (afl,ifl,ipfl,ofl) for aDynamic Links. Ifyou specify URL patterns, any URL that doesn't match one of the patterns willcause yourDynamic Links to return HTTP error 400.
You should make your URL patterns as restrictive as possible. For example:
| Too permissive | Better |
|---|---|
Can redirect to any page on any site ending with |
Can redirect only to pages at |
Can redirect to any app'sGoogle Play Store page. |
Can redirect only toGoogle Play Store pages for the app with the package name |
Can redirect to any page on |
Can redirect only to the App Store page for the app with the ID |
You can make sure a deep link and fallback links for aDynamic Links match one ofyour URL patterns by viewing the debug page forDynamic Links and verifying there areno warnings:
https://example.page.link/WXYZ?d=1
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-11-25 UTC.