ZipCodeAPI users get two API keys - the Application Key and the Client Key.
The application key is meant to be used on your own private server. As such, it doesn’t need to have a URL allow list.
The client key is intended to be used in JavaScript. Because anyone can view the JavaScript, it needs extra protection, so we have the allow list. See instructions here for setting up allowed domains.
If you get the error “Client key could not be validated”, that means we saw that you used the client key, which means we need to validate that it’s a valid domain and send the CORS headers back to the browser. However, since it’s not sent from the browser, it doesn’t contain the request headers required to do that check.