Site keys & allowed origins

How Yokaify authenticates your site and keeps your widget locked to your own domains.

Your site key

The data-site-key in your install snippet tells Yokaify which account and knowledge base a request belongs to. Every request from the widget carries it.

Why the key is public

The site key lives in your page's HTML, so anyone can read it — that's expected. The key alone doesn't grant access to your dashboard or data; it only points requests at the right site.

Allowed origins

Security comes from your allowed-origins list: Yokaify only accepts widget requests coming from domains you've approved. Add every domain your store runs on (including staging) so the widget works there and nowhere else.

Rotating a key

If you ever need to, you can issue a new site key and update the snippet. Combined with the origin allowlist and server-side limits, this keeps control of your widget firmly with you.