Overview
Welcome! This guide provides the complete list of domains and endpoints that must be added to your network allowlist in order for Flex Pay by Upgrade to function correctly in onboard environments.
Important
This guide is only applicable for Onboard environments at sea. If you are working on a Web SDK integration and need to update your allow list, you can find instructions HERE
Understanding Wildcard Domain Entries
Rather than allowlisting individual subdomains one by one — which can break when infrastructure changes —Flex Pay strongly recommends configuring wildcard entries whenever possible. A wildcard entry covers the root domain and all subdomains automatically
ℹ Wildcard syntax: *.example.com matches agent.example.com, pay.example.com, api.example.com, and any other subdomain, including the root domain example.com
Why Wildcards Matter for Flex Pay:
Upgrade periodically introduces new subdomains as services scale or infrastructure changes.
A wildcard entry ensures these are covered without requiring a new allowlist request.
Several domains (e.g., *.uplift.com) serve multiple functions — member portal, agent portal, order API, and payment estimator — all of which must be reachable simultaneously.
AWS-hosted endpoints (Cognito, S3, API Gateway) may shift regional subdomains over time; wildcard entries for *.amazonaws.com subdomains provide resilient coverage.
Complete Allowlist - Wildcard Recommendations
The table below organizes all required domains by category. For each entry, the recommended wildcard rule is provided alongside the specific subdomains it covers. Both HTTP (port 80) and HTTPS (port 443) traffic should be permitted for all entries.
Recommended Wildcard Entry | Specific Domains Covered | Purpose | Renders UI? |
|---|---|---|---|
Section 1 — Upgrade / Flex Pay Brand Domains | |||
*.upgrade.com | credapi.upgrade.com | Upgrade's consumer-facing website and payment estimator API. | YES |
*.uplift.com | Legacy brand domains retained for continuity. Covers the member portal, | YES | |
pay-api2.uplift.com pm-mrkt.uplift.com | agent portal, order API, and payment estimator. | ||
*.flexpaybyupgrade.com | Flex Pay co-branded landing page for guest access. | YES | |
Section 2 — Application Platform | |||
*.uplift-platform.com | uplift-platform.com bls-edge.prodgw.uplift-platform.com | Core loan application platform and debit card validation service. No visual assets — API calls only. | NO |
*.learning-uplift.com | Sales agent training portal and onboard certification flow. | YES | |
Section 3 — AWS Cloud Infrastructure | |||
*.execute-api.us-west-2.amazonaws.com | xhtsga2aoh.execute-api.us-west-2.amazonaws.com | AWS API Gateway endpoint used to retrieve the agent's IP address. | NO |
*.cognito-idp.us-west-2.amazonaws.com (or: cognito-idp.us-west-2.amazonaws.com) | cognito-idp.us-west-2.amazonaws.com | AWS Cognito: handles login, logout, password reset, and forgot-password flows. | NO |
*.s3.us-west-2.amazonaws.com *.s3.amazonaws.com | uplift-loan-content.s3.us-west-2.amazonaws.comuplift-loan-content.s3.amazonaws.com | Hosts pre-signed document URLs and Truth-in-Lending disclosures required at checkout. | NO |
Section 4 — Third-Party Services | |||
*.sentry-cdn.com | js.sentry-cdn.combrowser.sentry-cdn.com | Sentry error monitoring SDK. Required for secure debit card entry form functionality. | NO |
*.maps.googleapis.com *.places.googleapis.com *.maps.gstatic.com | maps.googleapis.com places.googleapis.com maps.gstatic.com | Google Maps & Places APIs — power the address autofill / autocomplete in the loan application form. | NO |