Inkeep light logo
Schedule a callSee it for my content
Ui components

API keys for Public Assistants

Public clients

When you embed your AI assistant in websites where the user is not authenticated, like in your public docs, help center, or marketing site, the web browser is considered a "public client". Since many of these clients often don't have a backend, the most practical way to use the AI assistant is for UI components to talk directly to the Inkeep service.

While it is up to your company's own policies and best practices, in these scenarios, the Inkeep API key is generally ok to be included in the source code of your web page that is exposed in the browser. This is similar to how Algolia's search service or Sentry's error logging works.

Default security

To prevent misuse of your public API key, Inkeep by default:

  • Implements IP and client level throttling and monitoring
  • Monitors for abusive or spam-like behavior
  • Uses other security mechanisms
  • Blocks access to malicious clients

Additionally, the API key is tied to the Inkeep chat service, so it's only useful for answering questions about your product. It's not a general purpose API key like an API key to OpenAI or general LLM provider would be.

Content security

We recommend not using private content like support tickets or internal Slack conversations in your customer-facing assistants. They are typically only used in employee-facing AI Inkeep Copilot or internal Slack bot. Private vs public projects and sources are labeled in the Inkeep dashboard to help make it clear. Check the Sources tab in a project to see what sources are enabled for a project.

Referrer URL

For Web integration types, we recommend:

  1. Specifying the root URL of your webpage in the URL field
  2. Ensuring the Enforce referrer URL option is enabled for your production API keys
  3. Registering a different integration for at minimum every domain/site you add Inkeep to.

As one of many security measures, this enables our chat service to check that API requests are coming from browsers navigating your website.

Local development

For local environments, we recommend creating a separate Web integration so you can have a different API key than your production one. You can disable Enforce referrer URL for this purpose. Keep this API key secure.

Staging environments

Similarly, we recommend creating another Web integration for your staging environments with a different URL and API key. You can leave Enforce referrer URL enabled.

Creating separate API keys also helps keep real vs test usage separated in your analytics.

Advanced security

If you would like to implement your own protection mechanisms or keep the API key private, you can have traffic routed through a private proxy. Your proxy is then responsible for rate limiting mechanisms or other security measures like CAPTCHA services. In this scenario, you can use an API integration type instead of a Web type and have your proxy insert the API key in the forwarded requests. This is because the communication now happens between your proxy server and Inkeep's server.

Alternatively, you can require a user to authenticate with your application before accessing the assistant. You can optionally have the Inkeep chat service validate a JWT token to check that the user should have access.

Contact support for details on either of these approaches.

Content Security Policy (CSP)UI Components Release Notes

On this page