Security

App security & perimeter fit

Bring us inside your perimeter. Point App Settings at your identity provider (issuer + JWKS) so public survey APIs honor your bearer tokens. When security is disabled, requests still work; if a token is sent, we validate it and log warnings when it fails.
Client integration. Send Authorization: Bearer <token> on survey requests. The SDK supports configure({ auth: { jwt: { token } } }) and token refresh/clear via configure({ auth }).
Behavior & signals. When enabled, missing or invalid tokens return clear error codes (missing_token, config_missing, config_invalid, invalid_token). When disabled, tokens are optional; invalid tokens generate warnings for developers but do not block requests.
Fixed audience. Tokens are verified against https://api.getuserfeedback.com; issuer and JWKS are configured per app so you can align with your IdP.

Technical details (for implementers)

Security is enforced per app via issuer + JWKS settings. Tokens are validated on survey flow fetch endpoints; SDK-provided tokens propagate to loader/widget config. Disabled apps accept requests without a token but will validate any provided token and emit warnings on failures to aid debugging.

Navigation menu

Security

App security & perimeter fit

Technical details (for implementers)

Grow faster with user feedback

Riley Thomas

Sofia Rossi

Fatima Ali

Javier Lopez