XSS whitelist and How to only allow JSON requests from a specific domain

[eluser]darian311[/eluser]
I found out through trial and error that turning on default xss_clean is breaking my reception of a JWT token from Google Inapp payments?

I want to have xss clean on by default but be able to white list certain functions specifically my getcash function.

Also, since I can't xss_clean the POST array for that specific function is there a way to only allow call to that function from Google payments server? Let me know if there is a security best practice I'm overlooking here.