Why am I receiving the error: "token URL or xdReceiver has not been whitelisted"?

Owned by JP Rowan (Unlicensed)
Jan 24, 2017

This error comes up for a variety of different reasons. The following are the most common fixes:

You have not yet added your domain to the application whitelist

To resolve this:

  1. Login to your Janrain account at http://dashboard.janrain.com
  2. From the front page of your Dashboard, select your Social Login instance. From that page, find the Settings window on the right and click Domains
  3. Add your domains to the Domain Whitelist (screenshot below). It is recommended that you add two entries per domain where Social Login is deployed to ensure functionality:
    *.yourdomain.com - This covers your subdomains and all subfolders within those subdomains. Note: this also covers www.yourdomain.com.
    yourdomain.com - This covers any instances of your site called without www and all subfolders within that domain.


You may have two or more Social Login instances and you are updating the whitelist of the wrong Social Login instance 

This is common in situations where you have one Social Login instance for production and are updating the whitelist for your development site, and vice-versa.

You are using a deprecated/legacy endpoint

For example: https://your_rp.rpxnow.com/openid/v2/signin?token_url=token_url, and you need to upgrade your implementation to use the new sign-in widget. Visit the Implementation Guide here for steps to upgrade.

You are using a 3rd party plugin that hits that endpoint

If this is the case, it's possible that you only need to upgrade to the newest version of that plugin. Otherwise, let the creator of the plugin know that they need to update their plugin to the new widget.