> For the complete documentation index, see [llms.txt](/llms.txt). # Restrict a Snap's RPC API methods If the `dapps` caveat of the [endowment:rpc](/snaps/reference/permissions/#endowmentrpc) permission is set to `true`, any dapp can call the Snap's RPC API by default. You can [restrict the whole API](#restrict-the-whole-api) to specific dapp origins or [restrict the API by method and origin](#restrict-by-method-and-origin). ## Restrict the whole API[​](#restrict-the-whole-api "Direct link to Restrict the whole API") The `endowment:rpc` permission has an optional [allowedOrigins](/snaps/reference/permissions/#allowed-origins) caveat. You can use this to restrict the domains that are allowed to make calls to the Snap's RPC API. ## Restrict by method and origin[​](#restrict-by-method-and-origin "Direct link to Restrict by method and origin") Sometimes a more granular control is required, such as filtering by method _and_ caller origin. You can restrict by method and origin using the `origin` parameter of the [onRpcRequest](/snaps/reference/entry-points/#onrpcrequest) entry point. For example: index.ts ``` import type { OnRpcRequestHandler, UnauthorizedError } from '@metamask/snaps-sdk' type MethodPermission = '*' | string[] const RPC_PERMISSIONS: Record = { hello: '*', secureMethod: ['https://metamask.io', 'https://www.mydomain.com'], } const isAllowed = (method: string, origin: string) => { return RPC_PERMISSIONS[method] === '*' || RPC_PERMISSIONS[method].includes(origin) } export const onRpcRequest: OnRpcRequestHandler = async ({ origin, request }) => { // Check permissions. if (!isAllowed(request.method, origin)) { throw new UnauthorizedError(`Method ${request.method} not authorized for origin ${origin}.`) } switch (request.method) { case 'hello': return 'world!' case 'secureMethod': return 'The secret is: 42' default: throw new Error('Method not found.') } } ``` You can construct more powerful filtering methods using regular expressions or any other logic of your choice.