> ## Documentation Index
> Fetch the complete documentation index at: https://docs.testdino.com/llms.txt
> Use this file to discover all available pages before exploring further.

# TestDino Cloud Endpoints and Domains

> Complete list of internet-facing TestDino services, domains, and IP ranges used to send Playwright test results and artifacts securely.

All internet-facing TestDino services and their security configuration.

## Quick Reference

| Section                                              | Description                                   |
| :--------------------------------------------------- | :-------------------------------------------- |
| [Core Services](#core-services)                      | Dashboard, API, reporter, WebSocket           |
| [Authentication & Billing](#authentication--billing) | Auth endpoints, payment webhooks              |
| [Integrations](#integration-services)                | GitHub webhooks, third-party connectors       |
| [Internal Services](#internal-services)              | AI analytics, health checks, artifact storage |
| [Network Security](#network--security)               | CORS, TLS, rate limiting, security headers    |
| [Firewall Config](#firewall-configuration)           | Domains to allowlist                          |

***

## Core Services

| Endpoint                                  | Description                                                                             |
| :---------------------------------------- | :-------------------------------------------------------------------------------------- |
| `app.testdino.com`                        | Web application: dashboard, test results, analytics, settings                           |
| `api.testdino.com`                        | Primary API: authentication, test data, project management, client-server communication |
| `api.testdino.com/api/reports/playwright` | Reporter endpoint: receives test results via API key authentication                     |
| `api.testdino.com/stream`                 | WebSocket: real-time test result updates                                                |

## Authentication & Billing

| Endpoint                                    | Description                                                              |
| :------------------------------------------ | :----------------------------------------------------------------------- |
| `api.testdino.com/api/auth`                 | Login, registration, OAuth callbacks, password reset, email verification |
| `api.testdino.com/api/v1/webhooks/razorpay` | Payment webhook: receives events from Razorpay (signature-verified)      |

## Integration Services

| Endpoint                                              | Description                                                                                                    |
| :---------------------------------------------------- | :------------------------------------------------------------------------------------------------------------- |
| `api.testdino.com/api/integrations/v1/github/webhook` | GitHub webhook: push events and PR updates (verified via `X-Hub-Signature-256`)                                |
| Integration service (internal)                        | Manages Jira, Linear, Asana, Slack, Monday.com connections. Not internet-facing. Accessed via the primary API. |

## Internal Services

| Service                      | Description                                                                                         |
| :--------------------------- | :-------------------------------------------------------------------------------------------------- |
| Analytics service (internal) | Project analytics processing. FastAPI/Python. Not internet-facing.                                  |
| `api.testdino.com/health`    | Health check for monitoring and load balancer probes                                                |
| Azure Blob Storage           | Artifact storage: screenshots, videos, traces. Access via time-limited SAS tokens (48-hour expiry). |

## Network & Security

### CORS

The API enforces strict CORS policies:

* Only explicitly configured origins are allowed (no wildcard `*`)
* Origins are defined per environment via `CORS_ORIGIN` configuration

### TLS

* All endpoints enforce HTTPS (TLS 1.2+)
* HTTP requests redirect to HTTPS
* Certificates are managed via hosting infrastructure

### Rate Limiting

| Endpoint           | Limit                       |
| :----------------- | :-------------------------- |
| Login              | 10 requests / 15 minutes    |
| Registration       | 5 requests / 15 minutes     |
| Email verification | 3 requests / 60 minutes     |
| Password reset     | 2 requests / 60 minutes     |
| Global API         | 1,000 requests / 15 minutes |

### Security Headers

All responses include headers via Helmet:

* `Content-Security-Policy` (CSP)
* `X-Frame-Options`
* `X-Content-Type-Options`
* `Strict-Transport-Security` (HSTS)

## Firewall Configuration

If your organization uses network-level allowlisting, add these domains:

| Domain                    | Required For                                            |
| :------------------------ | :------------------------------------------------------ |
| `app.testdino.com`        | Dashboard access                                        |
| `api.testdino.com`        | API, reporter submission, webhooks, WebSocket streaming |
| Azure Blob Storage domain | Artifact uploads and downloads                          |

## Related

Review what data is collected and how long it is retained.

<CardGroup cols={2}>
  <Card title="Access to Customer Data" icon="database" href="/data-privacy/access-to-customer-data">
    Full list of data TestDino collects
  </Card>

  <Card title="Data Retention" icon="clock" href="/data-privacy/data-retention">
    Retention periods by tier and data category
  </Card>
</CardGroup>
