Widget Security
Rapidflare is built with security at its core. This document explains how the Rapidflare widget securely integrates into your public-facing web apps while ensuring protection against abuse, impersonation, and unauthorized access. From bot mitigation to publishable API key protection, we’ve implemented modern, multi-layered defenses to help you ship with confidence.
Key Security Principles
We designed the Rapidflare widget with these core principles:
- Secure by default: Every integration point includes protections against tampering, misuse, and impersonation.
- Invisible yet effective protection: Invisible mechanisms like reCAPTCHA and AppCheck silently protect user sessions.
- Granular access control: Domain-restricted publishable API keys and tokenized authentication ensure tight boundaries.
- Transparency and compliance: Clear infrastructure and security practices ensure trustworthiness.
How Authentication Works
Our authentication system uses AppCheck, and domain-bound publishable API keys to validate every interaction and prevent unauthorized access.
1. AppCheck (Powered by reCAPTCHA service)
AppCheck ensures the request comes from an authentic version of your site (not a spoofed or malicious clone). It uses:
- Cryptographic attestation of the client
- Domain whitelisting to lock publishable API keys to specific origins
- Backend enforcement of legitimacy
2. Invisible reCAPTCHA
reCAPTCHA v3 runs silently in the background, assigning a risk score (0.0–1.0) based on user behavior. It blocks known bots while preserving the user experience.
- Invisible UX: No interaction needed by the end user
- Risk scoring: Adaptive handling based on behavior
- ML-powered: Continuously evolving to catch new threats
3. Short-Lived, One-Time Tokens
Each request is signed with a single-use, short-lived token with replay protection. This ensures:
- No session hijacking
- Each request protected by single-use token
- Clear attribution for each action
Integration Options
Rapidflare securely supports multiple embed methods:
| Security Measures | iframe embedding | JavaScript widget | White-labeled domains |
|---|---|---|---|
| Content sandboxing | ✅ | ✅ | ✅ |
| Domain bound publishable API keys | ✅ | ✅ | ✅ |
| DDOS protection | ✅ | ✅ | ✅ |
| Spam/bot protection using reCAPTCHA | ✅ | ✅ | ✅ |
Domain bound publishable API Keys
Before you can integrate copilots into your enterprise, you will need to grab your publishable API key from your dashboard. You can find it under Copilots » Configure » Security.
At present users can generate publishable API keys by simply setting an expiry date timestamp. You will soon be able to associate one or more domains (includes wildcard domains too) - doing so will allow ONLY those requests coming from your whitelisted domains, and block requests from all other domains.
Note: This feature is still under active development, and will be made generally available over the next couple of weeks.
Why This Matters: Key Benefits
| Benefit | Description |
|---|---|
| Zero-interruption security | All protection happens behind the scenes—no user friction. |
| Replay attack prevention | Fresh tokens for every request eliminate credential reuse. |
| Real domain lock-in | API keys are useless outside your configured domains. |
| Visibility & observability | Risk scoring + traffic filtering ensures clean, high-quality analytics. |
| Seamless developer UX | Minimal setup required, with strong defaults for secure integration. |
Questions or Concerns?
Reach us at support@rapidflare.ai for any questions, audits, or detailed integration support.