CDK Domains Reference
This document provides a comprehensive list of all domains used by the k-ID Compliance Development Kit (CDK). If you are employing allowlisting in your security strategy, these domains should be included to ensure the CDK functions properly.
Domain Categories
The CDK utilizes various third-party services for different verification methods. Below is a breakdown of domains organized by their purpose:
| Category | Domain | Purpose |
|---|---|---|
| AgeKey Verification | *.agekey.org | Secure age proof stored on a device, used anywhere without sharing personal info. |
| Facial Age Estimation | *.privately.swiss | Privacy-preserving facial analysis services |
*.faceassure.com | Face verification and age estimation | |
cdn.jsdelivr.net | JavaScript libraries and dependencies | |
fonts.cdnfonts.com | Custom font resources | |
| ID Document Verification | *.dcams.app | Document capture and verification services |
dcamsclientlogos.s3.us-east-2.amazonaws.com | Client branding assets | |
| ConnectID Verification | *.connectid.com.au | Australian-owned digital identity solution |
| Credit Card Verification | *.stripe.com | Payment processing and card verification |
| General Verification Pages | fonts.googleapis.com | Google Fonts |
*.gstatic.com | Google static content delivery | |
*.k-id.com | Core k-ID services and widgets |
Implementation Notes
Wildcard Domains
Several domains use wildcards (*) to accommodate subdomains. Make sure your allowlisting implementation properly supports wildcard matching.
Environment Considerations
- Test Environment: All domains listed are required for both test and production environments
- Regional Variations: Some services may use region-specific subdomains
Troubleshooting
If you experience issues with CDK widgets:
- Check browser developer tools for Content Security Policy (CSP) violations
- Ensure all wildcard domains are properly configured
- Verify that your CSP syntax is correct
- Test in different browsers to ensure compatibility
Security Considerations
Domain allowlisting is just one approach to securing your application when integrating third-party widgets and services. Modern web security involves multiple layers and strategies. We recommend reviewing the latest security best practices and determining the most appropriate security model for your specific use case and threat model.
While these domains are necessary for CDK functionality when using a domain allowlisting approach, always:
- Regularly review and update your allowlisting configuration
- Monitor for any unauthorized domain requests
- Keep your CSP as restrictive as possible while maintaining functionality
- Test thoroughly after any CSP changes
Additional Resources
For more information about implementing k-ID widgets and CSP configuration: