Encrypting sensitive data in web chat

Add another level of encryption to hide sensitive data users might send in the web chat by enabling web chat security with the public key that is provided by IBM. The content in this section applies to the new chat.

Use this method to encrypt sensitive information in messages that come from your website, such as information about a customer's personal information, a user ID, or security tokens to use in webhooks that you call from actions. Information passed to your assistant in this way is stored in a private context variable, and shown in skills if they are configured with the x-ibm-skill-headers property. Private variables cannot be seen by customers and are never sent back to the web chat.

To encrypt sensitive data:

  1. From the menu, click Beta chat settings, and select the Embed chat tab.
  2. Toggle Security to On, and click Generate key to generate the IBM-provided public key.
  3. Copy the public key that is displayed in the IBM-provided public key field. Save this public key in a safe location, and do not enter that directly into the web chat embed script. You can save it as an environment variable in your server's backend.
  4. In the JavaScript function that you use to generate your JWT, include in the payload a private claim called user_payload. Use this claim to contain the sensitive data, encrypted with the IBM public key.

The following code snippet demonstrates how to encrypt sensitive data by using the RSA public key algorithm. It takes a JSON string that represents the user payload of a JWT (JSON Web Token) and encrypts it using the IBM public key. The encrypted data is then converted to a Base64 string and assigned back to the user payload of the JWT.

// Example code snippet to encrypt sensitive data in JWT payload.
const dataString = JSON.stringify(jwtContent.user_payload);

  // Encrypt the data
  const encryptedBuffer = crypto.publicEncrypt(
    {
      key: IBM_PUBLIC_KEY,
      padding: crypto.constants.RSA_PKCS1_OAEP_PADDING,
      oaepHash: 'sha256'  // Specify OAEP padding with SHA256
    },
    Buffer.from(dataString, 'utf-8')
  );

  // Convert encrypted data to base64
  jwtContent.user_payload = encryptedBuffer.toString('base64');
Tip: The user payload must be a valid JSON data. The web chat uses the default options of the Node-RSA library, which expects the encryption scheme pkcs1_oaep, signing scheme pkcs1-sha256, and the encryption encoding base64.

When the web chat integration receives a message signed with this JWT, the content of the user_payload claim is decrypted and saved as the context.integrations.chat.private.user_payload object. Since it is a private variable, it will not be included in logs. If you have skills that define the user_payload in the x-ibm-skill-headers property, your skill is able to return the data saved in the user_payload.


Parent topic:

Embedding the Orchestrate chat in a page
Enabling web chat security
Encrypting sensitive data in web chat
Authenticating users in web chat