Why My Multi-Tenant Chatbot Needed Two Types of API Keys

I'm building a multi-tenant AI chatbot. Businesses sign up, share their documents and get a chat widget to embed on their website. The widget talks to their knowledge base and only their knowledge base. I covered the WebSocket authentication side of this in a previous post . This one is about the problem that lives on the other end — in the browser. The widget needs to know which tenant it belongs to. That means some form of credential has to exist in the frontend code. As we all know, frontend code is not a friend who can keep secrets. The code is public. Anyone can open DevTools, inspect the network tab, and read the script tag. Whatever key you put there is fully exposed from day one. So the question becomes: how do you authenticate something that can never be secret? Where Do You Even Store This Stuff? Now I need to make a tiny side track here. Before I could even get to the API key problem, I had a session management problem. When an anonymous user opens the chat widget, the backe

Why My Multi-Tenant Chatbot Needed Two Types of API Keys

Related Articles

DAY 8: The System Was Never Meant to Pay You

MakerCode v2.0 Release

Introduction to the PineTime Pro

How to Turn MiroFish Into a Production Grade Polymarket Research Engine

Claude Code March Update: 8 Features Broken Down, With Setup Instructions

Related Articles

How-To
DAY 8: The System Was Never Meant to Pay You
Medium Programming • 4d ago

How-To
MakerCode v2.0 Release
Medium Programming • 4d ago

How-To
Introduction to the PineTime Pro
Lobsters • 4d ago

How-To
How to Turn MiroFish Into a Production Grade Polymarket Research Engine
Medium Programming • 4d ago

How-To
Claude Code March Update: 8 Features Broken Down, With Setup Instructions
Medium Programming • 4d ago