Credential model
| Credential | Where it lives | Purpose |
|---|---|---|
| Server API credential | Your server or secret manager. | Authenticated Woes public API requests. |
| Widget public key | Browser code. | Routes widget traffic to the correct workspace. |
| Conversation history secret | Customer browser state for one conversation. | Authorizes loading that conversation’s widget history. |
| API test credential | Woes credential storage. | Lets Woes run guarded live API tests against your API. |
Planned capabilities
Server credentials
API keys or bearer tokens for server-to-server integration.
Scopes
Read and write boundaries for resources such as conversations, customers, and sources.
Rotation
Create, revoke, and rotate credentials without exposing old secrets.
Usage metadata
Audit-friendly metadata for credential usage without leaking the credential itself.
Expected scope categories
Final scope names are not published yet. Expected categories include:- Workspace settings.
- Conversations.
- Messages.
- Customers.
- API Context sources.
- Agent and Lab data.
- Channels.
- Webhooks.
Integration expectations
Store it securely
Keep server credentials in a secret manager, not in browser code or client-side config.
Call authenticated APIs
Send the credential from your server when endpoint-level docs are available.
Security expectations
- Do not expose server keys in browser code.
- Use the narrowest scope that supports your integration.
- Treat logs as sensitive if they include authorization headers.
- Rotate credentials after suspected exposure.
- Keep widget keys and server credentials conceptually separate.