CHATBOT

Chatbot security checklist

Review before production launch.

Keys

  • public_widget only in browser (script, React, anonymous SDK calls).
  • secret_server only in backend env vars — never in NEXT_PUBLIC_*.
  • No StartupCore Internal keys in customer deployments.

Domains and publish

  • allowedDomains lists every production origin.
  • Bot published after knowledge review.
  • Knowledge reviewed for PII and incorrect answers.

Private actions

  • Private intents require authenticated widget session.
  • Webhook signature verification enabled on your endpoint.
  • Idempotency enforced for action handlers.

Limits

  • Rate limits understood for widget and API.
  • Usage/plan limits reviewed for expected traffic.