Skip to content

Security

Open in workspace →

Promptify provides several security mechanisms to protect your messenger and user data.

Trusted domains

Section titled “Trusted domains”

Restrict which domains the messenger widget can connect from. Configure a list of trusted domain patterns in Settings > Messenger > Security. Wildcard patterns are supported (e.g. *.example.com). When no domains are configured, all origins are allowed.

Anonymous visitors

Section titled “Anonymous visitors”

You can toggle whether anonymous visitors (without a user ID) are allowed to use the messenger. When disabled, only identified users can start conversations.

Identity verification

Section titled “Identity verification”

When enabled, all setUser calls require a valid signed JWT. Requests without a verified JWT are rejected.

JWT signing uses asymmetric key pairs. Upload your public key (SPKI format) in the security settings. Supported algorithms: EdDSA, ES256, PS256, RS256.

See User Identification for the full JWT setup guide.

Data handling

Section titled “Data handling”
  • All communication uses TLS encryption.
  • Conversation data is isolated per workspace.
  • User data is not shared across workspaces.
  • Session tracking uses partitioned cookies for cross-site isolation.