For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
Dashboard
User GuideDeveloper GuidesAPI Reference
User GuideDeveloper GuidesAPI Reference
  • Getting Started
    • What is Runtype?
    • Creating your account
    • Platform Keys vs. BYOK
    • Understanding the Runtype UI
    • Quickstart: Social Media Post Generator
    • Quickstart: From Agent to Chat Widget
  • Dashboard
    • What is the Dashboard?
    • Daily Executions
  • Playground
    • What is the Playground?
  • Products & Surfaces
    • What are Products?
    • What are Surfaces?
    • Creating a Product
    • Setting up a Chat Surface
    • Setting up an API Surface
    • Setting up an MCP Surface
    • Setting up an A2A Surface
    • Setting up a Slack Surface
    • MCP authentication
    • Authenticating with product API keys
    • Embedding the chat widget (script tag)
    • Embedding the chat widget (React)
    • Surface orchestration modes
    • Product views
    • Adding Capabilities to a product
    • Connecting external agents
    • How A2A works
    • Connecting to Cursor / VS Code
    • Connecting to Claude Desktop
    • Scoping API keys to capabilities
    • Auto-generated OpenAPI spec
    • Calling your API endpoints
    • Client tokens and domain restrictions
    • AI-powered theme generation
    • Widget theming and customization
    • Product versioning and status
  • Flows
    • What are Flows?
    • Creating and Editing Flows
    • Flow step types overview
    • Agent and Flow Templates
    • Using prompt steps
    • Using transform-data steps
    • Using conditional steps
    • Using fetch-url and api-call steps
    • Using record steps (upsert/retrieve)
    • Flow variables and templates
    • Flow versioning and publishing
    • Running flows in batch
    • Handling batch failures
    • Debugging flows
  • Agents
    • What are Agents?
    • Creating and configuring Agents
    • Agent tools
  • Records
    • What are Records?
    • Creating and managing records
    • Using records in flows
    • Filtering and searching records
  • Tools
    • What are Tools?
    • Built-in Tools
    • Creating custom tools
    • Creating external tools
    • Runtime tools
  • Evals
    • What are Evals?
    • Running an Eval
    • Interpreting eval results
  • Schedules
    • What are Schedules?
    • Automating batch processing
  • Logs
    • What are Logs?
    • Working with Logs
  • Integrations
    • Connecting AI model providers
    • Slack integration
    • Google Workspace integration
    • GitHub integration
    • Linear integration
    • Weaviate (vector search)
    • Firecrawl (web scraping)
    • Exa (web search)
  • Settings
    • What's in Settings?
    • Available AI models
    • What are Organizations?
    • Managing AI models
    • Managing API keys
    • Billing and plans
    • Usage data
    • Team members and permissions
    • Appearance and preferences
    • Integrations (PostHog, Weaviate, Daytona)
  • Troubleshooting & FAQ
    • FAQ
    • Rate Limits and Usage
    • Managing Runtype with Claude
    • Flow execution failures
    • Common errors and solutions
    • Authentication issues
Dashboard
LogoLogo
On this page
  • How client tokens work
  • Setting up domain restrictions
  • Development and testing
  • Multiple environments
  • Protocol and port handling
  • Troubleshooting domain issues
  • Rotating client tokens
  • Next steps
Products & Surfaces

Client tokens and domain restrictions

Was this page helpful?
Previous

AI-powered theme generation

Next
Built with

Chat widgets use client tokens for authentication and support domain restrictions to prevent unauthorized use.

How client tokens work

When you embed a chat widget, it uses a client token to authenticate with Runtype. Client tokens are:

  • Public — Safe to expose in client-side code
  • Scoped — Limited to a specific Product and surface
  • Domain-restricted — Only work on approved domains

You never manually handle client tokens—the widget script includes them automatically.

Setting up domain restrictions

Configure which domains can use your chat widget:

  1. Open your chat Surface
  2. Go to the Auth tab
  3. Find Allowed Origins
  4. Add domains:

example.com www.example.com app.example.com

5. Click **Save**
The widget will only function on listed domains. Requests from other domains are rejected.
## Wildcard domains
Use wildcards for subdomains:
```plaintext
*.example.com

This allows app.example.com, staging.example.com, and any other subdomain.

Using * alone allows any domain. Only use this for testing—never in production.

Development and testing

Add local development URLs for testing:

localhost:3000
127.0.0.1:8080
*.ngrok.io

This lets you test the widget locally before deploying.

Multiple environments

Development and production surfaces have separate domain lists:

  • Development surface: Add staging and local URLs
  • Production surface: Add only live domain(s)

This prevents accidentally using production widgets on development sites.

Protocol and port handling

Domain restrictions don’t consider protocol or port:

  • example.com matches both http://example.com and https://example.com
  • localhost:3000 requires the specific port

Troubleshooting domain issues

Widget shows but doesn’t respond:

  1. Check browser console for authentication errors
  2. Verify current domain is in allowed list
  3. Ensure there are no typos in domain names
  4. Check for www vs non-www mismatches

CORS errors:

If you see CORS-related errors, the domain isn’t approved. Add it to the allowed domains list.

Rotating client tokens

If a client token is compromised:

  1. Open your chat Surface
  2. Go to the Auth tab
  3. Click Rotate Token
  4. Confirm the action
  5. Update your widget embed code with the new token

Old tokens stop working immediately after rotation.

Client tokens are different from API keys. API keys are secret and used server-side. Client tokens are public and used client-side with domain restrictions for security.

Next steps

  • Setting up an API surface (uses API keys, not client tokens)
  • Embedding the chat widget (script tag)
  • Development vs production environments