Skip to main content
Zenovay
Free5 minutesBeginner

Domain Verification Errors

Understand and resolve domain verification errors, including 403 Forbidden responses from the Zenovay tracking script. Explore domain setup and best practices.

domainverification403forbiddentracking
Last updated:

Learn what domain verification is, why you might see a 403 error from the Zenovay tracking script, and how to fix it.

What Is Domain Verification?

Zenovay verifies that tracking scripts only send data from authorized domains. When a visitor loads a page with your tracking script, Zenovay checks the request's Origin (or Referer) header against the domain registered for your website.

This prevents unauthorized websites from sending fake analytics data to your account and keeps your reports accurate.

Why Am I Seeing a 403 Error?

A 403 Forbidden response from the Zenovay tracking API means your tracking code is sending data from a domain that does not match your website's registered domain.

This typically happens when:

  • You added your tracking script to a domain that does not match the one set for the website in Zenovay
  • Your website moved to a different domain
  • You are testing on localhost or a local development host
  • The browser did not send an Origin or Referer header

Example console error:

POST https://api.zenovay.com/e/YOUR_CODE 403 (Forbidden)

The API returns one of these messages:

  • "Domain not authorized for this tracking code" -- the request origin does not match your website's domain
  • "Missing request origin" -- the browser did not send an Origin or Referer header

How Domain Matching Works

Zenovay checks the request origin against your website's domain using these rules:

  • Exact match -- example.com matches example.com.
  • Subdomains are allowed automatically -- if your domain is example.com, requests from www.example.com, blog.example.com, or any other subdomain are accepted. You do not need to add www separately.
  • Wildcards -- a value like *.example.com matches every subdomain of example.com.

If a website has a list of additional allowed domains configured (see Multiple Domains below), the request origin is checked against that list instead of the single primary domain.

How to Fix It

Step 1: Open the Website

Go to app.zenovay.com, sign in, then open Domains from the sidebar and select the website that is showing the error.

Step 2: Open Settings → General

Open the website's Settings and go to the General tab.

Step 3: Confirm the Domain

In the Domain section, make sure the domain matches where your tracking script is actually installed. If it is wrong or out of date, update it and click Save.

Because subdomains are matched automatically, setting example.com here also covers www.example.com and any other subdomain. Do not include https://, a path, or a trailing slash, enter the bare hostname only.

Step 4: Allow Localhost (Optional)

If you are testing locally, turn on the allow localhost option in the same General tab. This permits tracking from localhost and local development hosts so you can verify your setup before going live. Leave it off in production.

Multiple Domains and the API

The single Domain field in the dashboard, plus its automatic subdomain matching, covers most setups. If you need to authorize several unrelated domains for one website (for example a primary site and a separate marketing domain), the website can hold a list of additional allowed domains.

There is currently no in-dashboard editor for that additional allowed-domains list. You have two options:

  • MCP server (Scale plan and above): the Zenovay MCP server provides list_allowed_domains, add_allowed_domain, and remove_allowed_domain tools you can call from a connected AI agent.
  • Contact support: email [email protected] and we can configure the additional allowed domains for you.

Troubleshooting Tips

Check Domain Spelling

A small typo can cause verification to fail. Double-check that the domain saved in Zenovay matches the actual domain exactly.

Correct: example.com
Wrong:   exmple.com
Wrong:   example.co

Subdomains Are Already Covered

You do not need to add www.example.com separately, subdomains of your registered domain are accepted automatically. The same applies to blog., app., shop., and any other subdomain.

Proxy or Ad-Blocker Bypass Hosts

If you serve the tracking script through a custom first-party host (for example analytics.yourdomain.com), it is a subdomain of your registered domain and is therefore allowed automatically.

Staging and Preview Domains

Deployment previews and staging environments often use a completely different domain (for example your-project.vercel.app) that is not a subdomain of your production site. Those requests will be blocked by domain verification. For local testing, use the allow localhost option described above; for shared staging environments, get in touch with support about authorizing additional domains.

Still Having Issues?

If you have verified your domain settings and still see 403 errors:

  1. Wait a moment -- Domain changes can take a short time to take effect.
  2. Clear your browser cache and reload the page.
  3. Check your browser console for additional error details.
  4. Contact support at [email protected] with:
    • Your website URL
    • The domain showing the error
    • A screenshot of your General settings

Next Steps

Related articles

  1. Why am I being asked to verify my email again?

    Email verification fires for security reasons. Here are the common triggers and how to clear the prompt.

  2. Tracking Not Working

    Diagnose and fix common issues when Zenovay tracking isn't recording visitor data. Learn about tracking in this troubleshooting guide.

  3. Email Verification Process

    Email Verification Process: Learn how to verify your email address and troubleshoot verification issues. Explore this account security guide for details.

Was this article helpful?