Overview of web chat security

By default, all messages that are sent between the web chat and the assistant are encrypted with Transport Layer Security (TLS). You can enable the web chat security feature if you need more robust protection.

The web chat embed script that you include on your website contains unique identifiers (such as the integration ID and service instance ID) that enable the web chat to connect with your assistant. These identifiers are not considered secret, and are visible to anyone who has access to your website. Anyone who has these IDs can use them to send messages to your assistant and receive its replies. However, these IDs cannot be used to log in to your account, make changes to your assistant, or retrieve logs or analytics information about your assistant.

If you enable security, you can configure the web chat to authenticate users, protect private data, and restrict access to your assistant.

All messages that are sent between the web chat and the assistant are encrypted by using Transport Layer Security (TLS), which protects sensitive data as it travels through the network. However, there are still potential security exposures that you might need to protect against. By enabling the web chat security feature and updating your website code appropriately, you can add the following protections:

  • You can prevent unauthorized websites from sending messages to your assistant, even if they copy your web chat embed script. The unique identifiers in the embed script, such as the integration ID and service instance ID, are visible to anyone who has access to your website.

  • You can securely authenticate customers to control access to features of your assistant that require authorization.

  • You can encrypt sensitive data so customers cannot see it, while still allowing your assistant to access it.

Web chat security uses JSON Web Tokens (JWTs), which are data objects that are sent with each message from your website to the watsonx Orchestrate service. Because a JWT is digitally signed by using a private encryption key that only you have, it ensures that each message originates with your website. The JWT payload can also be used to securely authenticate users and carry encrypted private data.

Tip: For detailed information about JSON Web Tokens, see the JWT specification.

Enabling web chat security involves making the following customizations:

  • Implementing web application server code that generates a JWT signed with your private encryption key

  • Customizing the web chat configuration to provide the generated JWT

  • Enabling security in the web chat security settings

Important:After you enable web chat security, any message that is received by the web chat integration that is not accompanied by a properly signed JWT will be rejected.

To enable web chat security, you must change your web application server code and the web chat embed script, as well as the web chat integration settings.


Parent topic:

Embedding the Orchestrate chat in a page
Enabling web chat security
Encrypting sensitive data in web chat
Authenticating users in web chat