The Security panel controls who can talk to your agent and how often. Two settings live here: an allowlist of domains that can embed the widget, and a per-visitor rate limit.
Find these settings under Settings → Security on any agent. The agent's public/private toggle lives under General Settings.
Allowed domains
By default a public agent can be embedded anywhere on the open internet. Add domains to the Allowed Domains field to restrict where the widget will load:
- One domain per line — for example
mysite.comandapp.mysite.com. - The check is exact-hostname. Subdomains are not implied — list each subdomain explicitly if you need it.
- Leave empty to allow every domain.
When a visitor loads the embed from a domain that isn't on the list, the widget refuses to render and shows an "unauthorised" message.
Rate limiting
The Rate Limiting field caps how many messages a single visitor (by IP) can send within a 60-second window. When the cap is hit, the next message is refused with the message you set in Rate Limit Message.
Typical values:
- 0 — no per-visitor limit (the team plan's overall limit still applies).
- 10–30 — sensible defaults for an interactive support widget.
- 3–5 — strict; useful when the agent triggers expensive tools on every message.
What else protects an agent
Other panels include security-adjacent settings. Pair Security with:
- Performance — set daily and monthly token caps so a runaway visitor can't drain the budget.
- Compliance — turn on PII redaction so logs never store sensitive details, and audit logging so security events are traceable.
- Custom domains — serve the widget from your own subdomain rather than chatzuri.com.