Auth & security

Dashboard

Access is tied to your identity provider (e.g. Supabase auth). Use a strong password and workspace roles as shipped in the product.

API & widget

• Widget: domain allowlists and public embed keys are scoped in the dashboard—never expose service credentials in front-end bundles beyond what the widget requires.
• API: use server-side secrets. Rotate keys if they leak. Prefer least privilege per environment (dev vs production).

Data

Content you index is stored for retrieval by your agents. Remove sources you no longer want used. See Privacy and Security pages on the marketing site for policy detail.