DatoCMS Domains and Content Security Policy (CSP)

Last updated: 2026-01-12

If you're trying to whitelist our domain names for the purposes of browser Content Security Policy or similar needs, this is a list of the domains used by our services.

For API requests:

• graphql.datocms.com (Content Delivery API, GraphQL)

• graphql-listen.datocms.com (Real-time Updates API for live previews via SSE)

• site-api.datocms.com (Content Management API, REST)

For images and assets:

• www.datocms-assets.com (primary CDN for all assets like images, PDFs, raw files)

• datocms-assets.6c36efb897e5eae1d2a887cfa632eea9.eu.r2.cloudflarestorage.com (for uploading assets to your project)

For HLS video streaming:

• stream.mux.com (video streaming via HLS and MP4 delivery)

• image.mux.com (video thumbnails and metadata)

Other

• If you’re embedding the DatoCMS admin interface or using plugins: *.admin.datocms.com (the CMS editor interface).

• Your plugin is likely hosted elsewhere, outside of DatoCMS altogether, like a Vercel or Netlify site.

• If you’re on an Enterprise plan with a custom asset domain, you’d replace www.datocms-assets.com with your custom domain. The same applies if you use a custom CMS admin domain.

For humans only

These sites are unlikely to be useful to APIs, but you may wish to whitelist them for your human users.

• Our forum at https://community.datocms.com is helpful for troubleshooting

• Your account dashboard is at https://dashboard.datocms.com