API keys
Create and manage API keys for authenticating programmatic access to DGbot.
Types of keys
DGbot uses two types of identifiers:
Chatbot ID — Your chatbot's public identifier. Used in the widget embed snippet (data-chatbot-id). Safe to include in your website HTML — it identifies which chatbot to load but does not grant API access.
HMAC secret — Used for identity verification. Your server signs visitor identity payloads with this secret to prove the user data is authentic. Never expose this in client-side code. See the Widget configuration guide for signing instructions.
API key (Phase 2) — Will be used for REST API access. Create via Settings → API keys. Treat like a password — never commit to version control.
Create an API key
Go to Settings → API keys in the admin panel.
Open Settings in adminThe API keys section. Each key shows its creation date and last used date.
Give the key a descriptive label — "Production server", "Staging environment", "Zapier integration". Labels help you identify keys when you need to rotate them later.
The key is shown only once. Copy it and store it in a secure location (a password manager or secret management service). Click Done to dismiss.
Security best practices
Never include API keys in client-side code. API keys should only exist in server-side environments (backend code, environment variables, CI/CD secrets). Client-side JavaScript is visible to anyone — use the chatbot ID instead.
Rotate keys if compromised. If an API key is exposed (committed to a public repository, included in a screenshot, etc.), revoke it immediately in Settings → API keys and create a new one.
Use one key per environment. Create separate keys for production, staging, and development. This lets you rotate one without affecting others.
Set a reminder to audit keys quarterly. Delete any keys that are no longer in use.