Allowed origins

ALLOWED_ORIGINS is a comma-separated list of scheme+host values that may call your customer Function App’s chat endpoints from a browser. Set during install via the wizard.

Format

• https://www.acme.com — single origin
• https://www.acme.com,https://support.acme.com — multiple
• * — open access (only OK during evaluation)

No paths. No trailing slashes. No wildcards in subdomains.

Two places it’s used

1. App Service CORS — handles OPTIONS preflight at the platform edge.
2. Per-response header — the customer-runtime sets Access-Control-Allow-Origin on each chat response.

Both are kept in sync by the bicep — you don’t manage them separately.

How to update

Re-run the deploy wizard from the Marketplace Change plan blade with a new value. The bicep re-deploys (idempotent; only the App Service CORS and ALLOWED_ORIGINS env var change) in under a minute.