# Whitelisting -------------------------------------------------------------------------------- title: "Introduction" description: "Whitelisting enables you to vlaidate through Custom User Validation and permit CORS and iFrame access." last_updated: "2026-03-18T07:41:08.533Z" source: "https://docs.catalyst.zoho.com/en/cloud-scale/help/authentication/whitelisting/introduction/" service: "Cloud Scale" -------------------------------------------------------------------------------- # Whitelisting ### Introduction Whitelisting is a feature of Cloud Scale Authentication that enables you to validate and manage various aspects of access to your Catalyst application. These include the following: * Validating end-users' signup using custom {{%link href="/en/serverless/help/functions/basic-io" %}}basic I/O functions{{%/link%}} through {{%link href="/en/cloud-scale/help/authentication/whitelisting/custom-user-validation/introduction" %}}Custom User Validation{{%/link%}}. * Authorizing domains for {{%link href="/en/cloud-scale/help/authentication/whitelisting/authorized-domains/introduction" %}}CORS and iFrame access{{%/link%}} to your application. The {{%italics%}}Whitelisting{{%/italics%}} feature ensures ready-to-implement high security for your application by enabling you to clearly specify and authorize domains that can access your application's endpoints through CORS requests or load your application widget. Likewise, security is ensured by controlling the access to your application to specific users that you require through custom user validation. {{%note%}}{{%bold%}}Note:{{%/bold%}} You can access this section during the authentication setup in the final step, or directly from the Whitelisting section in the console. In the latter case, you should have already configured at least one {{%link href="/en/cloud-scale/help/authentication/authentication-types" %}}authentication types{{%/link%}}.{{%/note%}} ### Benefits * Catalyst makes your application development process significantly easier, as you need not manually code your application to allow {{%link href="/en/cloud-scale/help/authentication/whitelisting/authorized-domains/introduction/#cors" %}}CORS{{%/link%}} requests or {{%link href="/en/cloud-scale/help/authentication/whitelisting/authorized-domains/introduction/#iframe" %}}iFrame{{%/link%}} access for each domain that you require. You don't need to configure custom responses in your functions for specific domains to access your application resources, or code the logic of loading your application as a widget in an external domain. * You can simply add a domain in the Catalyst console and enable or disable CORS and iFrame whenever you need, with the click of a button. Similarly, you can {{%link href="/en/cloud-scale/help/authentication/whitelisting/custom-user-validation/implementation/#disable-custom-user-validation" %}}enable or disable Custom User Validation{{%/link%}} for your application through a single toggle switch, and use custom logic to validate your end-users. ## Authorized Domains -------------------------------------------------------------------------------- title: "Introduction" description: "Custom User Validation allows you validate user sign ups using custom logic" last_updated: "2026-03-18T07:41:08.534Z" source: "https://docs.catalyst.zoho.com/en/cloud-scale/help/authentication/whitelisting/authorized-domains/introduction/" service: "Cloud Scale" -------------------------------------------------------------------------------- # CORS and iFrame Catalyst Cloud Scale provides you the convenience of easily configuring the following two functionalities for your application from the console: <br /> ### CORS {{%bold%}}Cross-Origin Resource Sharing{{%/bold%}} (CORS) is a mechanism that instructs a browser to allow web applications running on one origin to access resources from a different origin. Unless you specifically enable CORS, browsers prevent client-side scripts from accessing resources from a different origin by default. This is done by implementing a security mechanism called a same-origin policy, to protect the resources. When a web application requires a resource on a different domain to be accessed, it will execute a cross-origin request by including additional HTTP headers in the request, to inform the browser about it. When you enable CORS for an external domain in your Catalyst application, browsers will process HTTP requests from that particular domain and pass it on to Catalyst servers. Catalyst will then allow access to the client and all the function endpoints of your application, and send appropriate responses back. Catalyst ensures secure data transfers through cross-origin requests, by enabling you to specify and manage the domains that can be allowed to access the application endpoints in the console. ### iFrame Catalyst also enables you to easily allow your application to be incorporated as a widget in an external domain, similar to allowing CORS. To load your application as a widget in a target website, you must code a script for it in your application's source files. Once that's done, you can embed your application as a widget on the target website by incorporating the widget script in the target's code. If you choose to embed your application widget in the form of an iFrame, you can utilize Catalyst's convenient functionality. By default, browsers do not allow iFrame elements from one domain to be loaded in a different domain, as they violate standard content security policies, unless specific access is given. However, using Catalyst, you don't need to build the logic involved in granting permissions to allow an external widget. You can easily enable the iFrame of your application widget for a domain in the console. Catalyst servers will then handle the communication with the browsers. The server informs the browser about the configured domains that can allow your application widget to be incorporated in them. -------------------------------------------------------------------------------- title: "Implementation" description: "Custom User Validation allows you validate user sign ups using custom logic" last_updated: "2026-03-18T07:41:08.534Z" source: "https://docs.catalyst.zoho.com/en/cloud-scale/help/authentication/whitelisting/authorized-domains/implementation/" service: "Cloud Scale" -------------------------------------------------------------------------------- # Implementation To access the {{%italics%}}Whitelisting{{%/italics%}} section you have to configure at least one of the {{%link href="/en/cloud-scale/help/authentication/authentication-types/" %}}authentication types{{%/link%}}: {{%link href="/en/cloud-scale/help/authentication/native-catalyst-authentication/hosted-authentication-type/introduction/" %}}Hosted{{%/link%}}, {{%link href="/en/cloud-scale/help/authentication/native-catalyst-authentication/embedded-authentication/introduction/" %}}Embedded{{%/link%}}, or {{%link href="/en/cloud-scale/help/authentication/third-party-authentication/introduction/" %}}Third-party{{%/link%}}. You can access *Authorized Domains* in the whitelisting section any time by navigating to **Cloud Scale > Authentication** in the console, and clicking the **Whitelisting** option. <br /> You can also access {{%italics%}}Authorized Domains{{%/italics%}} in the *Additional Settings* section during the last step of all the authentication setups. <br /> ### To Enable CORS and iFrame Similar to {{%link href="/en/cloud-scale/help/authentication/whitelisting/custom-user-validation/implementation/" %}}Custom User Validation{{%/link%}}, Authorized Domains is also disabled by default. To authorize domains and enable CORS and iFrame access: 1. Click **Add Domain** under the *Authorized Domain* section. <br /> 2. Enter the name of the domain name, and authorize the domain to have CORS and or iFrame access by enabling the respective options, as per your preference. <br /> 3. Click **Configure** to complete set up. The authorized domain along with the enabled status of CORS and iFrame access to your application will be displayed. <br /> You can authorize and add more domains by clicking **Add Domain** and repeating the above mentioned steps. <br /> ### To Modify Domain Name or Update CORS and iFrame Access to Your Application You can modify a domain name or reconfigure its CORS and iFrame access to your application in the following way: 1. Click the **ellipsis icon** next to the domain you wish to change, and click **Edit**. <br /> 2. You can update the domain name, and enable or disable CORS and iFrame access as per your preference in the pop-up window. Click **Update** to confirm the update. <br /> You can now view the updated information of the domain in the **Authorized Domains** section. <br /> ### To Delete an Authorized Domain You can permanently delete a domain that you authorized in the following way: 1. Click the **ellipsis icon** next to the domain you wish to delete, and click **Delete**. <br /> 2. Click **Yes, Proceed** in the confirmation pop-up. <br /> The domain will be deleted. <br /> ## Custom User Validation -------------------------------------------------------------------------------- title: "Introduction" description: "Custom User Validation allows you validate user sign ups using custom logic" last_updated: "2026-03-18T07:41:08.534Z" source: "https://docs.catalyst.zoho.com/en/cloud-scale/help/authentication/whitelisting/custom-user-validation/introduction/" service: "Cloud Scale" -------------------------------------------------------------------------------- # Custom User Validation Catalyst offers you the option to validate and authorize end-users to your application using custom functions. This option allows you configure a {{%link href="/en/serverless/help/functions/basic-io" %}}Catalyst Basic I/O function{{%/link%}} to contain the logic of the manner you wish to authorize the user with. During user sign up, the credentials of the user will be validated through this Basic I/O function. {{%note%}}{{%bold%}}Note:{{%/bold%}} To enable {{%bold%}}Custom User Validation{{%/bold%}}, you must first ensure that {{%link href="/en/cloud-scale/help/authentication/public-signup/" %}}Public Signup{{%/link%}} has been enabled.{{%/note%}} Refer the code snippets below a sample Custom User Validation function in Java, Node.js, and Python: {{%tabs%}} {{%tab "Java" %}} {{% panel_with_adjustment header="Custom User Validation - Java" footer="button" class="language-java line-numbers" scroll="set-scroll" %}}public class MainClass implements ZCFunction { private static final Logger LOGGER = Logger.getLogger(MainClass.class.getName()); @Override public void runner(Context context, BasicIO basicIO) throws Exception { try { ZCProject.initProject(); ZCSignupUserValidationRequest requestDetails = ZCSignupUserService.getSignupValidationRequest(basicIO); if (requestDetails != null) { /*Validation logic starts */ LOGGER.info("Inside null check"); ZCSignupUserValidationResponse validationResponse = ZCSignupUserValidationResponse.getInstance(); if (requestDetails.getUserDetails().getEmailId().contains("@notallowedmail")) { validationResponse.setStatus(ZCSignupValidationStatus.FAILURE); // The user has failed authentication } else { validationResponse.setStatus(ZCSignupValidationStatus.SUCCESS); // The actions that occur in the event of a successful authentication can be customized ZCSignupResponseUserDetails respUserDetails = ZCSignupResponseUserDetails.getInstance(); respUserDetails.setFirstName("{customFirstName}"); respUserDetails.setLastName("{customLastname}"); respUserDetails.setRoleIdentifier("{customRoleName}"); respUserDetails.setOrgId("{customOrgId}"); validationResponse.setUserDetails(respUserDetails); } basicIO.write(validationResponse); /* Validation logic ends*/ } } catch (Exception e) { basicIO.write(e); LOGGER.log(Level.SEVERE, "Exception in MainClass", e); basicIO.setStatus(500); } } } {{% /panel_with_adjustment %}} {{%/tab%}} {{%tab "Node.js" %}} {{% panel_with_adjustment header="Custom User Validation - Node.js" footer="button" class="language-javascript line-numbers" scroll="set-scroll" %}}const catalyst = require("zcatalyst-sdk-node"); module.exports = (context, basicIO) => { const catalystApp = catalyst.initialize(context); const userManagement = catalystApp.userManagement(); const requestDetails = userManagement.getSignupValidationRequest(basicIO); if (requestDetails !== undefined) { if (requestDetails.user_details.email_id.includes("node")) { basicIO.write( JSON.stringify({ status: "failure", }) ); } else { basicIO.write( JSON.stringify({ status: "success", user_details: { first_name: "CustomFirstName", last_name: "CustomLastName", role_identifier: "CustomRole", org_id: "CustomOrgID", //If you are providing the Org ID, make sure it is copied exactly from the console. }, }) ); } } context.close(); }; {{%/panel_with_adjustment%}} {{%/tab%}} {{%tab "Python" %}} {{% panel_with_adjustment header="Custom User Validation - Python" footer="button" class="language-python line-numbers" scroll="set-scroll" %}}import json import zcatalyst_sdk def handler(context, basicio): app = zcatalyst_sdk.initialize() auth_service = app.authentication() request_details = auth_service.get_signup_validation_request(basicio) if request_details: if "spam.com" in request_details["user_details"]["email_id"]: basicio.write(json.dumps({"status": "failure"})) else: basicio.write( json.dumps( { "status": "success", "user_details": { "first_name": "Amelia", "last_name": "Jack", "role_identifier": "cx_role", "org_id": orgId, # If you are providing the Org ID, make sure it is copied exactly from the console. }, } ) ) context.close() {{%/panel_with_adjustment%}} {{%/tab%}} {{%/tabs%}} {{%note%}}{{%bold%}}Note:{{%/bold%}} These snippets are also available in the Catalyst {{%link href="/en/sdk/java/v1/cloud-scale/authentication/custom-user-validation/" %}}Java SDK{{%/link%}}, {{%link href="/en/sdk/nodejs/v2/cloud-scale/authentication/custom-user-validation/" %}}Node.js SDK{{%/link%}}, and {{%link href="/en/sdk/python/v1/cloud-scale/authentication/custom-user-validation/" %}}Python SDK{{%/link%}} repositories.{{%/note%}} -------------------------------------------------------------------------------- title: "How It Works" description: "Custom User Validation allows you validate user sign ups using custom logic" last_updated: "2026-03-18T07:41:08.534Z" source: "https://docs.catalyst.zoho.com/en/cloud-scale/help/authentication/whitelisting/custom-user-validation/how-it-works/" service: "Cloud Scale" -------------------------------------------------------------------------------- # How Custom User Validation Works The following steps detail how you can use custom logic to authenticate end-user sign ups: {{%note%}}{{%bold%}}Note:{{%/bold%}} {{%link href="/en/cloud-scale/help/authentication/public-signup/" %}}Public Signup{{%/link%}} must be enabled to use Custom User Validation.{{%/note%}} 1. When an end-user signs up to your application using the Sign Up action configured by you, the Catalyst server will check if {{%link href="/en/cloud-scale/help/authentication/whitelisting/custom-user-validation/introduction" %}}Custom User Validation{{%/link%}} has been enabled. If it has been enabled, then the {{%link href="/en/serverless/help/functions/basic-io" %}}Basic I/O function{{%/link%}} that you have used to engineer the validation logic will be called and the user details will be passed to the validation function as a {{%badge%}}.JSON{{%/badge%}} object. {{%code class="language-json line-numbers"%}}{ "request_type": "add_user", "request_details": { "user_details": { "email_id": "emmy@zylker.com", "first_name": "Emma", "last_name": "Thompson", "org_id": "43************", "role_details": { "role_name": "App User", "role_id": "10********" } }, "auth_type": "web" } } {{%/code%}} {{%note%}}{{%bold%}}Note:{{%/bold%}} * Custom User Validation only applies for sign up action, i.e., when the user tries to access your Catalyst application for the very first time. * If you wish to alter any one of the input details for validation, the input to the function has to be sent as the complete .JSON object. {{%/note%}} 2. If the user's authentication in successful based on the custom logic coded by you, then the user will be able to access the application, and the details of this user can be viewed and managed in the {{%link href="/en/cloud-scale/help/authentication/user-management/introduction" %}}{{%italics%}}User Management{{%/italics%}}{{%/link%}} section. 3. If the end-user's details do not meet the authentication requirements you coded, then they will not be able to access the application. -------------------------------------------------------------------------------- title: "Implementation" description: "Custom User Validation allows you validate user sign ups using custom logic" last_updated: "2026-03-18T07:41:08.534Z" source: "https://docs.catalyst.zoho.com/en/cloud-scale/help/authentication/whitelisting/custom-user-validation/implementation/" service: "Cloud Scale" -------------------------------------------------------------------------------- # Implementation To use the {{%italics%}}Whitelisting{{%/italics%}} section you have to configure at least one authentication type: {{%link href="/en/cloud-scale/help/authentication/native-catalyst-authentication/hosted-authentication-type/introduction/" %}}Hosted Authentication Type{{%/link%}}, {{%link href="/en/cloud-scale/help/authentication/native-catalyst-authentication/embedded-authentication/introduction/" %}}Embedded Authentication Type{{%/link%}}, or {{%link href="/en/cloud-scale/help/authentication/third-party-authentication/introduction/" %}}Third-party Authentication Type{{%/link%}}. You can access the {{%italics%}}Whitelisting{{%/italics%}} by navigating to {{%bold%}}Cloud Scale > Authentication{{%/bold%}} in the console, and clicking the {{%bold%}}Whitelisting{{%/bold%}} option. <br /> Custom User Validation enables you to validate your end-users using a custom logic as defined by you in a {{%link href="/en/serverless/help/functions/basic-io" %}}Basic I/O function{{%/link%}}. {{%note%}}{{%bold%}}Note:{{%/bold%}} * {{%link href="/en/cloud-scale/help/authentication/public-signup" %}}Public Signup{{%/link%}}must be enabled to use Custom User Validation * The custom validation function must already be coded as a Basic I/O, in {{%link href="/en/sdk/java/v1/cloud-scale/authentication/custom-user-validation/" %}}Java{{%/link%}}, {{%link href="/en/sdk/nodejs/v2/cloud-scale/authentication/custom-user-validation/" %}}Node.js{{%/link%}}, or {{%link href="/en/sdk/python/v1/cloud-scale/authentication/custom-user-validation/" %}}Python{{%/link%}} and present in the Catalyst console in {{%link href="/en/serverless/help/functions/introduction/" %}}Serverless Functions{{%/link%}}{{%/note%}} Custom User Validation will be **disabled** by default, and you have the option of configuring it in two ways: {{%note%}}{{%bold%}}Note:{{%/bold%}} You can also enable Custom User Validation in the *Additional Settings* section during the last step of all the authentication setups. <br /> {{%/note%}} ### Enable Custom User Validation 1. Click the **toggle button** present next to the **Custom User Validation** option in the *Whitelisting* section. <br /> {{%note%}}{{%bold%}}Note:{{%/bold%}} {{%link href="/en/cloud-scale/help/authentication/public-signup/" %}}Public Signup{{%/link%}} must be enabled to use Custom User Validation. As mentioned earlier, you can enable while setting up an authentication type using the {{%italics%}}Addional Settings{{%/italics%}} section.{{%/note%}} 2. Select the {{%link href="/en/serverless/help/functions/basic-io/" %}}Basic I/O function{{%/link%}} that contains your custom logic from the dropdown. <br /> 3. You can click **JSON Validation** button to view and copy the sample JSON input to test the function. You can test this input with a sample function available in the respective {{%link href="/en/#DeveloperTools" %}}SDK sections{{%/link%}} of each stack, or with your own custom logic. <br /> 4. Click **Configure** to finish enabling Custom User Validation. <br /> ### Disable Custom User Validation You can disable the *Custom User Validation* option if you no longer wish to validate user sign ups using a custom logic, by simply clicking the toggle button to disable *Custom User Validation*. <br /> Custom User Validation will be disabled, and can be re-enabled again at any time. {{%note%}}{{%bold%}}Note:{{%/bold%}} Custom User Validation will automatically be disabled for your application if you disable {{%link href="/en/cloud-scale/help/authentication/public-signup/" %}}Public Signup{{%/link%}}.{{%/note%}}