Skip to content

Allowlist for Connection Settings

A Mobile Development Kit client allows onboarding via URL or QR code scan. A URL and QR code from a third party may bring the Mobile Development Kit app to a malicious onboarding site. To avoid the phishing attack, Mobile Development Kit client only accepts the trusted BTP domains from an allowlist for ServerUrl, AuthorizationEndpointUrl, RedirectUrl and TokenUrl.

The allowlist defines the sub-domains with which BTP domains must end. The,, and sub-domains are already allowed. To allow other custom sub-domains, specify the AllowedDomains property in BrandedSettings.json, e.g.

    "ConnectionSettings": {
      "ServerUrl": "https://mobile-<tenant>",
      "AuthorizationEndpointUrl": "https://oauthasservices-<tenant>",
      "RedirectUrl": "https://oauthasservices-<tenant>",
      "TokenUrl": "https://oauthasservices-<tenant>",  
    "AllowedDomains": [ ".<subdomain>.<custom-domain>.com" ],


A valid sub-domain requires at least two words separated by a dot.

To support AllowCerts, sapmobilesvcs://oauth2redirect and mdkclient://oauth2redirect can be used as the value for RedirectUrl.

Last update: May 9, 2023