Widget Security Model
Understand what the public API key does, where auth fits, and how browser installs stay inside the trust boundary.
- Last reviewed
Widget Security Model
The widget is designed for browser use. That means some pieces are intentionally public and some are not.
What the public API key does
The public API key identifies the app the request belongs to. It does not prove who the user is.
Do not treat hiding the public API key in frontend code as a security boundary. It is meant to be client-visible.
What actually controls trust
Trust comes from the app's configuration and the signals you send with each request:
- JWT auth when App Security is enabled
- identity via
identify()or embed URL parameters - consent configuration for non-essential scopes
- the fact that requests are scoped to one app key
One model across browser surfaces
The JavaScript SDK, React SDK, and loader-based global API share the same basic public model:
- identify the user if needed
- configure auth if needed
- open or embed the flow
- reset state on logout
That consistency is deliberate. Switching install methods should not require a different security story.