Site keys & allowed origins
How Yokaify authenticates your site and keeps your widget locked to your own domains.
Your site key
The data-site-key in your install snippet tells Yokaify which account and knowledge base a request belongs to. Every request from the widget carries it.
Why the key is public
The site key lives in your page's HTML, so anyone can read it — that's expected. The key alone doesn't grant access to your dashboard or data; it only points requests at the right site.
Allowed origins
Security comes from your allowed-origins list: Yokaify only accepts widget requests coming from domains you've approved. Add every domain your store runs on (including staging) so the widget works there and nowhere else.
Rotating a key
If you ever need to, you can issue a new site key and update the snippet. Combined with the origin allowlist and server-side limits, this keeps control of your widget firmly with you.