> ## Documentation Index
> Fetch the complete documentation index at: https://docs.flexslot.gg/llms.txt
> Use this file to discover all available pages before exploring further.

# Add an allowed origin to the partner

> Manage the partner's allowed-origins list.

POST adds an origin (idempotent — adding an existing origin is a no-op).
DELETE with ?origin=... removes one (404 if not present, so the partner
knows their request had no effect).

Origins gate write-path CORS — adding a new app domain shouldn't require
a Flexslot admin to do anything. This is the most common partner
self-service action.



## OpenAPI

````yaml /openapi.json post /api/public/v1/me/partner/allowed-origins
openapi: 3.0.3
info:
  title: Flexslot API
  version: 1.0.0
  description: API documentation for Flexslot decks application
servers:
  - url: https://api.flexslot.gg
    description: Production
  - url: https://api-dev.flexslot.gg
    description: Development
security: []
paths:
  /api/public/v1/me/partner/allowed-origins:
    post:
      tags:
        - Me
      summary: Add an allowed origin to the partner
      description: |-
        Manage the partner's allowed-origins list.

        POST adds an origin (idempotent — adding an existing origin is a no-op).
        DELETE with ?origin=... removes one (404 if not present, so the partner
        knows their request had no effect).

        Origins gate write-path CORS — adding a new app domain shouldn't require
        a Flexslot admin to do anything. This is the most common partner
        self-service action.
      operationId: me_partner_allowed_origins_add
      requestBody:
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/_OriginRequestRequest'
          application/x-www-form-urlencoded:
            schema:
              $ref: '#/components/schemas/_OriginRequestRequest'
          multipart/form-data:
            schema:
              $ref: '#/components/schemas/_OriginRequestRequest'
        required: true
      responses:
        '200':
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/PartnerAllowedOriginsResponse'
          description: ''
      security:
        - PersonalAccessToken: []
        - OAuth2Bearer: []
components:
  schemas:
    _OriginRequestRequest:
      type: object
      properties:
        origin:
          type: string
          format: uri
          minLength: 1
          description: Full origin to add/remove (e.g. https://app.example.com).
      required:
        - origin
    PartnerAllowedOriginsResponse:
      type: object
      properties:
        allowed_origins:
          type: array
          items:
            type: string
            format: uri
          description: Updated full list of allowed origins.
      required:
        - allowed_origins
  securitySchemes:
    PersonalAccessToken:
      type: http
      scheme: bearer
      bearerFormat: flx_pat_...
      description: 'User-issued personal access token (format: flx_pat_<token>).'
    OAuth2Bearer:
      type: http
      scheme: bearer
      bearerFormat: flx_at_...
      description: >-
        OAuth2 access token issued via the authorization-code + PKCE flow
        (format: flx_at_<token>). Grants the partner user-scoped access to act
        on behalf of the consenting end-user.

````