Widget API Key Changes When Modifying JWT Settings in Widget
under review
V
Vijay Sakthivel
When editing a widget, toggling the JWT option (enable or disable) causes the widget JavaScript to update immediately and regenerates a new API key, even when no explicit save action is performed. This behavior can result in the widget returning 401 Unauthorized errors in production environments if the newly generated API key is not updated in the embedded widget code.
Additionally, API key regeneration triggered by this action is not recorded in Team Auditing logs. Currently, audit entries are created only when changes are followed by an explicit save action, which makes it difficult for customers to track when and why an API key was changed. Improving visibility and consistency around API key changes would help customers manage widget integrations more reliably and avoid unexpected production issues.
Log In
M
Marginal Moose
Widget API Key Regeneration When Modifying JWT Settings Is Unacceptable
Changing JWT settings must not silently regenerate the Widget API Key. This key is a critical dependency, and regenerating it without warning immediately breaks existing integrations and production setups.
At an absolute minimum, this action must:
Display a clear and explicit warning that the Widget API Key will be replaced
Require an explicit confirmation before proceeding
Ideally decouple JWT configuration changes from API key regeneration entirely
Automatically replacing a connection key without visibility or consent causes avoidable outages and operational risk. This should never happen as a side effect of a configuration change.
We strongly urge this to be addressed as a priority.
Mohamed Shakheen
marked this post as
under review
Mohamed Shakheen
Hi Rose quartz Dormouse
Thank you for reporting this behavior in detail.
We understand the concern regarding the widget JavaScript updating immediately and regenerating a new API key when the JWT option is toggled, even without an explicit save action. We also acknowledge the impact this can have in production environments if the regenerated API key is not reflected in the embedded widget code.
Additionally, we note your observation about the API key regeneration not being captured in the Team Auditing logs.
Based on this feedhback, we will evaluate the appropriate scenario.
Thank you for highlighting this scenario and providing detailed context.
V
Vijay Sakthivel
Raised on behalf of Rose quartz Dormouse