Docs
Chatbot
Guide
Deploy
Manage deployments

Manage sites & rotate tokens

A chatbot can have many deployments — websites, Shopify, WordPress, custom integrations. The Install tab is your control panel.

In this guide:

  • See all deployments
  • Generate a new deployment
  • Rotate a token
  • Revoke a deployment
  • Allowed domains

Step 1: Open the Install tab

On your chatbot detail page, click Install in the left rail. You’ll see a list of every active deployment.

Deployments list Screenshot: The deployments list with type, site, and last-active columns.

Each row shows:

  • Type: Website, Shopify, WordPress, Custom.
  • Site / Store: the host the deployment is bound to.
  • Token: a masked preview (e.g., tkn_••••abc1).
  • Last active: the most recent message handled.

Step 2: Generate a new deployment

Click New deployment. Pick the type (Website, Shopify, WordPress, Custom) and:

  • For Website: enter the domain. You’ll get an embed snippet in return.
  • For Shopify: clicking generates a token; the actual link happens via the Shopify App Store flow.
  • For WordPress: clicking generates a token to paste into the WordPress plugin.
  • For Custom: a token alone, with no host/site binding (for raw API access).

Step 3: Rotate a token

If a token leaks (committed to a public repo, posted in a screenshot) you should rotate immediately.

Open the deployment row → click Rotate token. Confirm. The old token is invalidated immediately; the new token replaces it. Update wherever the old token was used (Shopify app, WordPress plugin, embed snippet) — until you do, that deployment will fail to connect.

Token rotation Screenshot: The token-rotation confirmation dialog.

Tip: Rotate proactively every 90 days as a hygiene habit, even when nothing’s leaked.

Step 4: Revoke a deployment

Click the trash icon on a deployment row to revoke it. The token is invalidated; the host loses access. The deployment row stays for audit.

Step 5: Allowed domains

Per-organization (or per-deployment, depending on plan) you can set a list of domains the widget is allowed to load on. Requests from anywhere else are refused.

In Install → Allowed domains, add each domain you ship to:

  • Exact: app.example.com
  • Wildcard subdomains: *.example.com
  • Multiple: comma-separated or one-per-line.

Localhost is allowed by default for development. Remove it before going live if you don’t want people running widgets locally.

Common token-management patterns

  • Per-environment tokens. Generate separate dev / staging / prod deployments. Rotating one doesn’t break the others.
  • Per-customer (agency): each customer gets their own deployment row, easy to revoke when the contract ends.
  • Public CDN tokens. Even with a token in client code, the allowed-domains list keeps abuse out.

Troubleshooting

  • All deployments suddenly fail. Did someone rotate at the org level? Check audit logs in Settings → Activity.
  • Token works locally, fails in production. Allowed domains may not include the production domain.
  • Can’t see the rotate button. You may not have deploy permission on this chatbot. → Per-chatbot permissions.

What’s next

Next → Customize widget appearance JWT user identification (New)
WordPressWidget customization