Hosted Experience
Securing your experience

4min
You have two options for securing your experience, domain white listing and API key.
Domain white listing will provide a lower level of security, that prevents someone from taking your deployment code snippet and hosting it on their own public website. It is still possible for a malicious user to request a valid session token via other methods.
API Key method will provide the highest level of security by requiring session tokens to be generated using your secret key. This approach will require that you build and host your own service to generate a session token while keeping your api key secret.
Domain white listing
Before a digital human can be deployed to your website, the domain must be whitelisted.  Whitelisted domains can be set within the UneeQ's administration portal.
To do this, navigate to the digital human you want to deploy on your website and add your domain to the "Allowed Domains" field within the "Security" section.
﻿
If you experience any trouble with this process, please contact your Customer Success representative or email [email protected] to let us know the domains where you will be deploying your digital human. We will ensure these domains are whitelisted so that your digital human can’t be used without your consent.
For example, if you are inserting the code snippet into a webpage with the URL https://your-domain.com/example/, then you must have the domain https://your-domain.com whitelisted.
To ensure the security of your conversation, it will not be possible to start a session with your digital human outside of https://your-domain.com
Content security policy
If you have a content security policy, you'll need to add Referrer-Policy strict-origin-when-cross-origin. This allows your website to pass the page referrer into the UneeQ frame for validation.
API Key
For the API key approach to be built in a secure manner, you will need to build your own backend service that generates the session token and returns it to your front end.
You should secure your backend service so it is not available to the public internet, otherwise a malicious user could use your service to retrieve session tokens for your digital human.
To generate the session token, we provide a public API with the following specifications:
Request: POST
URL: /session-service/v1/create-session
Body: { personaId: 'your-persona-id', apiKey: 'your-secret-api-key' }
Example
JS
Curl
const connectionUrl = 'http://api.uneeq.io';
const personaId = 'your-persona-id';
const apiKey = 'your-secret-api-key';
fetch(`${connectionUrl}/session-service/v1/create-session`, {
	method: 'POST',
	body: JSON.stringify({ personaId, apiKey }),
	headers: {
		'Content-Type': 'application/json'
	}
})
const connectionUrl = 'http://api.uneeq.io';
const personaId = 'your-persona-id';
const apiKey = 'your-secret-api-key';
fetch(`${connectionUrl}/session-service/v1/create-session`, {
	method: 'POST',
	body: JSON.stringify({ personaId, apiKey }),
	headers: {
		'Content-Type': 'application/json'
	}
})
﻿
Never include your secret API key in your frontend application or leak it to the public.
﻿
Getting Started
Configuration Options