Skip to content
Mevichat

Bot API keys

A BotApiKey is the public identifier the widget uses to prove it's allowed to talk to your bot. Every embed on every page references one.

What it is

Each key has:

  • Public IDmvc_pk_xxx, safe to ship in client-side HTML.
  • Allowed domains — a whitelist of hostnames (example.com, *.example.com). Requests from anywhere else are rejected server-side. An empty list means any origin is accepted (useful for local development).
  • Name — human label for the dashboard (e.g. "Production", "Marketing site", "Staging").
  • Last used at — timestamp of the most recent valid request.

The key is public by design. The security boundary is the allowed_domains whitelist, not the key's secrecy.

Creating a key

From Bot settings → API keys → New key:

  1. Name — how you'll find it later.
  2. Allowed domains — comma-separated list. Wildcards are allowed for subdomains: *.example.com matches www.example.com and blog.example.com, but not the bare example.com — list the apex domain separately if you need it.
  3. Click Create.

The dashboard shows the generated mvc_pk_xxx. Copy it into your embed:

<script async src="https://app.mevichat.com/widget.js"
  data-public-key="mvc_pk_xxx"></script>

Allowed domains are enforced server-side against the request Origin; there's no separate client-side attribute.

Rotating keys

Rotate quarterly, or immediately if you suspect a domain whitelist leak.

  1. Create a new key with the same allowed domains.
  2. Update the embed snippet on your site with the new data-public-key.
  3. Deploy and verify the widget still loads (check the bot's conversation log).
  4. Revoke the old key.

Zero downtime — both keys work during the handoff window.

Revoking keys

From the key row → Revoke. Takes effect immediately:

  • In-flight requests using the key are canceled.
  • New requests get a 401 Invalid API key and the widget shows a load error.

Revoke old keys as soon as the rotation is verified. A revoked key cannot be restored — create a new one if you revoked by mistake.

Usage in the embed snippet

The data-public-key attribute is the only required wiring. Origin enforcement happens server-side against the key's allowed_domains list — there is no corresponding client-side attribute.

See Installation for the full embed options (React, CSP, custom domain).

Last-used timestamp

Every authenticated request updates last_used_at. Use it for:

  • Finding dormant keys safe to revoke.
  • Confirming a rotation actually took effect (old key's timestamp should stop advancing).
  • Debugging a silent embed — if last_used_at never updates, the widget isn't reaching our API.

The timestamp refreshes within a few seconds of each request.

On this page

What it isCreating a keyRotating keysRevoking keysUsage in the embed snippetLast-used timestamp