Is Domain Whitelisting Required?

API
1

Hello,

I am integrating the Twitch Embedded Player using the iframe approach as described in the official documentation: https://dev.twitch.tv/docs/embed/video-and-clips/

The player works correctly in a local development environment using parent=localhost.
However, when deploying to a non-local HTTPS environment, the player fails with:
embed-error.html?errorCode=FailedAttributeCheck. The parent parameter is dynamically set using window.location.hostname.
It correctly resolves to the current domain (no protocol, no path, no port).

The site:

  • Is served over HTTPS

  • Has a valid SSL certificate

  • Passes the correct hostname as parent

From the documentation, it is clear that the parent parameter is required. However, it is not explicitly stated whether domains must also be pre-registered or whitelisted in the Twitch Developer Console.

Could you please clarify:

  1. Is explicit domain whitelisting required for the embedded player to function?

  2. If so, where exactly should this be configured in the Developer Console and what?

  3. Can the embed function solely by correctly passing the parent parameter without any additional domain registration?

  4. Are there additional validation rules (e.g. DNS validation, production-only restrictions, subdomain limitations, iframe nesting constraints)?

At the moment, everything appears correct from the integration side, but the embed fails outside of localhost.

Any clarification would be greatly appreciated.

Thank you.

2

In cases like this it is often easier to just provide the link to the page on production for us/someone to debug more quickly.

They do not require pre registration.

No

Yes

(This section edited for clarity): Not for the parent domain itself (DNS validation)

Parents are just the domain (no https:// no path) which is valid when using window.location.hostname

In this example Twitch Embed example I use embed everything and don’t need to declare a parent expilcitly as the JS lib does it for me.

I suspect the issue here might be nested iframes but I can’t debug that without knowing/seeing the webpage with the fault. (and in that scenario each frame on the way down needs to be listed in the parent(s) see this google sites example: twitch_misc/player/googlesites at main · BarryCarlyon/twitch_misc · GitHub // Twitch Embed Test/Example code for parent issues )

3

No domain whitelisting or pre-registration in the Developer Console is required. The embed works solely by passing the parent parameter correctly.
However, there are additional validation rules — specifically iframe nesting constraints, which are some of the most common causes of FailedAttributeCheck in production.
When the Twitch embed is loaded inside a nested iframe (i.e., your page is itself inside an iframe, or the embed sits within a wrapper iframe), every ancestor domain in the chain must be passed as a separate parent parameter:

https://player.twitch.tv/?channel=xxx&parent=outersite.com&parent=innersite.com

If any ancestor is missing, you get exactly FailedAttributeCheck. This is a very common reason for the embed to work on localhost but break in production — production environments often introduce an extra iframe layer via a CMS, widget framework, CDN preview, or reverse proxy panel that you don’t have locally.
To confirm, open DevTools on your production page and inspect the Elements panel. Look for any <iframe> elements wrapping the Twitch player. If you find one, add that domain as an additional parent parameter.

Other things worth checking

  • Confirm window.location.hostname in production matches what you expect (e.g. www.example.com vs example.com)
  • If you’re accessing the site by IP address rather than a hostname, the parent parameter won’t work

To answer your questions directly

# Question Answer
1 Is explicit domain whitelisting required? No
2 Where should this be configured? N/A — no console configuration needed
3 Can the embed function solely by passing parent? Yes
4 Are there additional validation rules? Yes — iframe nesting constraints exist. Every ancestor domain in a nested iframe chain must be listed as a separate parent parameter
4

For reference here as well, depending on if using a site builder one of the domains/parent in the stack of iFrames might change each time you save the site. Which can make it interesting to build the parent stack. (Depending which one will detemine the solve). (But the use of localhost when testing/building OP’s site suggests that a site builder and thus an iFrame stack isn’t/shouldn’t be present, but might be testing before copy/pasting to said builder, which then invalidates the test as the test environment doesn’t match production)

Further reading on the Wix/embed mega thread - The great big "I'm using WIX/SomeWebsiteMaking Tool and I don't know how to fix my embed" thread

For optimal advice here please provide the page that is throwing the fault.

5

Hi,

I still consistently receive: errorCode=FailedAttributeCheck

More tests were done so far:

  1. Parent matches Referer host, like parent=example-betting.com and Referer: example-betting.com.

  2. No nested iframes

window.top === window.self returns true.
There is only a single iframe on the page.

  1. No CSP blocking

There is no Content-Security-Policy: frame-ancestors header set on our page.

  1. Tested multiple parent values

I tested:
&parent=example-betting.com

And also:

&parent=example.com
&parent=www.example.com
&parent=sub.example.com

Same result in all cases.

  1. Tested modern endpoint with embed.twitch.tv

With proper iframe attributes:

allowfullscreen
allow="autoplay; fullscreen"
sandbox="allow-modals allow-scripts allow-same-origin allow-popups allow-popups-to-escape-sandbox allow-storage-access-by-user-activation"

Still results in:
302 → embed-error.html?errorCode=FailedAttributeCheck

What else could trigger FailedAttributeCheck?
Domain is from betting.

Is there any server-side domain classification, internal allow/deny logic, or additional requirement (e.g. client_id) that could cause this?

Thanks!

6

I suspect the problem given the exmaple domain here contains betting your site is inviolation of embed related or developer agreement rules and is blocked. (not that I can tell you one way of the other)

But again need the actual webpage/domain to investigate for sure (to check for faults in your integration code), but if that page is also geoblocked then thats the fault/telling to the point of being blocked by Twitch itself.

The use of any Twitch embeddable experience must comply with the requirements below and the Twitch Developer Services Agreement. Twitch may revoke embed usage for domains that are not in compliance. Twitch reserves the right to revoke your ability to use our embeddable experiences, for any reason, at any time.

Embedding Twitch | Twitch Developers // Twitch Developer Services Agreement

7

If you prefer to not share your domain on this post, please email developers@twitch.tv with your domain and the error received, and we can investigate further. Thank you.

8

Feel free to DM me directly if you want help working through this — happy to work with you to resolve the issue at hand.

I’d also recommend joining the TwitchDev Discord (TwitchDev). You’ll generally get faster and more collaborative responses there. These forums have an off-putting culture, and that unfortunately puts a lot of people off. Discord tends to be a more approachable space for this kind of back-and-forth troubleshooting.

That said, definitely still email developers@twitch.tv as jbulava suggested — if this is a server-side domain block, that’s the only way to get a definitive answer and potentially resolve it.