Replace the redirect-URL allowlist for the current account + environment
Overwrites the full allowlist (no add/remove primitives, no
half-applied state). Up to 20 entries, each up to 2048 chars.
Every URL must be https://, must have a host, must not include
a userinfo (user:password@) component, and must not resolve to
a private/loopback/link-local/cloud-metadata range.
Sending an empty list stores an empty row, which the runtime
validator treats as deny-all. To remove the row entirely (and
return to the “no allowlist configured” denial shape) call
DELETE /v3/settings/redirect-urls.
Authorizations
Pass your secret key in the Authorization header as a Bearer
token: Authorization: Bearer sk_test_... (sandbox) or
Bearer sk_live_... (production).
Keys are created in the developer portal and the plaintext secret is shown exactly once at creation. Treat them like passwords — never embed them in mobile apps or front-end code.
Body
The full set of redirect URLs allowed for this account+environment. Each POST overwrites the previous set; an empty array stores deny-all.
20HTTPS URL with no userinfo component; rejected if it resolves to a private/loopback/cloud-metadata range.
2048