API Keys
Create and manage API keys for widget embeds and external integrations.
API keys authenticate requests from widget embeds and external integrations. Each key carries scopes that control what it is allowed to do.
Creating a Key
- Go to Settings → API Keys
- Click Create Key
- Fill in the fields:
| Field | Description |
|---|---|
| Name | A label to identify the key (e.g., Production Widget, Dev Testing) |
| Allowed Domains | Optional comma-separated list of domains that may use this key |
| Scopes | Permissions granted to the key (see Scopes below) |
- Click Create — the full key is displayed once. Copy and store it securely; it cannot be retrieved again.
Key Format
Keys are prefixed with osm_ followed by a random string:
osm_xxxxxxxxxxxxxxxxxxxxxxxxxxxxTreat your API key like a password. Do not commit it to source control or expose it in client-side code beyond the widget embed.
Scopes
| Scope | Allows |
|---|---|
| chat | Text chat widget interactions |
| voice | Voice call widget interactions |
Select only the scopes your integration requires. A key used solely for a chat widget does not need the voice scope.
Domain Restrictions
When Allowed Domains are set, the key is rejected for requests originating from any unlisted domain. Leave this field empty to allow all domains (useful for server-side or testing use cases).
Examples of valid domain entries:
example.com
app.example.com
localhostManaging Keys
From the API Keys list you can:
- Enable / Disable — Temporarily deactivate a key without deleting it
- Edit — Update the name or allowed domains
- Delete — Permanently revoke the key
Disabling a key immediately stops all requests authenticated with it. Re-enable at any time.