Tenant isolation, API keys, origin validation, and data boundaries.
Tenant isolation
Every tenant's data and configuration is fully separated.
Workspace / environment isolation
Sandbox and production never share data.
Public vs secret keys
Widget keys are domain-scoped; server keys stay private.
Origin validation
Requests are checked against allowed domains.
Allowed domains
Lock down exactly where your widget can run.
Session tokens
Short-lived tokens scope each chat session.
Rate limits
Protect the platform and your usage from abuse.
Usage limits
Enforced at the API layer, not just the dashboard.
Audit logs
Track admin and tenant actions over time.
Data boundaries
Clear separation between platform, tenant, and end-user data.
Public widget key
Safe to expose in frontend code. Scoped to allowed domains — requests from other origins are rejected.
Secret server key
Never expose in frontend code. Use only in server-side environments to call authenticated API endpoints.
Our team is happy to answer any security or compliance questions before you integrate.
Contact Sales