Securing your experience

you have two options for securing your experience, domain white listing and api key domain white listing will provide a lower level of security, that prevents someone from taking your deployment code snippet and hosting it on their own public website it is still possible for a malicious user to request a valid session token via other methods api key method will provide the highest level of security by requiring session tokens to be generated using your secret key this approach will require that you build and host your own service to generate a session token while keeping your api key secret domain white listing before a digital human can be deployed to your website, the domain must be whitelisted whitelisted domains can be set within the uneeq's administration portal to do this, navigate to the digital human you want to deploy on your website and add your domain to the "allowed domains" field within the "security" section if you experience any trouble with this process, please contact your customer success representative or email help\@uneeq com mailto\ help\@uneeq com to let us know the domains where you will be deploying your digital human we will ensure these domains are whitelisted so that your digital human can’t be used without your consent for example, if you are inserting the code snippet into a webpage with the url https //your domain com/example/ , then you must have the domain https //your domain com whitelisted to ensure the security of your conversation, it will not be possible to start a session with your digital human outside of https //your domain com content security policy if you have a content security policy, you'll need to add referrer policy strict origin when cross origin this allows your website to pass the page referrer into the uneeq frame for validation api key for the api key approach to be built in a secure manner, you will need to build your own backend service that generates the session token and returns it to your front end you should secure your backend service so it is not available to the public internet, otherwise a malicious user could use your service to retrieve session tokens for your digital human to generate the session token, we provide a public api with the following specifications request post url /session service/v1/create session headers authorization "your secret api key" body { personaid 'your persona id'} example const connectionurl = 'http //api uneeq io'; const personaid = 'your persona id'; const apikey = 'your secret api key'; fetch(`${connectionurl}/session service/v1/create session`, { method 'post', headers { 'authorization' apikey, 'content type' 'application/json' }, body json stringify({ personaid }) });curl x post "http //api uneeq io/session service/v1/create session" \\ h "authorization your secret api key" \\ h "content type application/json" \\ d '{"personaid" "your persona id"}' never include your secret api key in your frontend application or leak it to the public