KB widget API key to be encrypted
backlog
Ramesh Lokesh
Currently, the API key used in the KB widget JavaScript is visible within the widget code. When the KB widget is integrated into an application, anyone with access to the JS code can view the API key.
Some of our customers have raised this as a security concern and have requested that the API key be encrypted.
While we currently provide a Restricted Domains option to ensure that the KB widget is only installed on authorized domains, customers feel that this does not fully address their security concerns.
Therefore, they have requested enhancements such as encrypting the API key or introducing a mechanism where the API key rotates or changes dynamically.
Log In
Mohamed Shakheen
marked this post as
backlog
Mohamed Shakheen
Hi Alive Salamander
Thank you for bringing this up.
In the standard KB widget implementation, the API key is included in the widget JavaScript to enable the widget to communicate with the required APIs. To mitigate misuse, we currently provide the Trusted Domains configuration, which ensures that the widget can only be loaded and used from the domains explicitly authorized by the project owner.
We recommend using the JWT-enabled KB widget configuration. In this approach, the widget does not expose the API key in the client-side JavaScript. Instead, authentication is handled through JWT token generation on the customer’s server side, and the widget uses this token to authenticate requests. This ensures that the API key remains secure on the server side and is never exposed in the frontend code.
This setup provides a more secure integration model for environments where exposing API keys in client-side scripts is a concern.
Ramesh Lokesh
Alive Salamander