Widget Publishable Keys

Widget APIs authenticate with X-Widget-Publishable-Key.

Key Properties

Generated format: wpk_live_<random>
Stored server-side as SHA-256 hash
Can be scoped per agent
Can be revoked

Key Management Workflow

Go to Deploy for the target agent.
Create a key with a clear name.
Add it to your website embed snippet as data-widget-key.
Rotate and revoke as part of routine security hygiene.

Security Practices

Publishable keys are expected to be exposed in client-side embed code.
Use separate keys for staging and production.
Rotate keys after team transitions or suspected leakage.

Last updated on March 17, 2026

Install the Widget Widget Runtime Behavior

Dukon | Docs