Security
Ringnity has several credentials because each one protects a different boundary. The safest integration keeps public bootstrap values in client code, secret keys in backend code, and OAuth/OIDC tokens only for identity login flows.
Use slug or Public Widget Key in browser code.
Do not expose secret keys in frontend code.
Allowed domains are validated by the Ringnity backend.
Visitor SDK session tokens are short-lived and scoped.
OAuth2/OIDC is not required for public Visitor SDK usage.
Enterprise server-to-server auth can be added without changing browser or mobile token rules.
Credential boundaries
| Credential | Used for | Lives in | Rule |
|---|---|---|---|
| Public slug / install key | Browser and website bootstrap | Public website code | Public identifier only. |
| Runtime token | SDK runtime for chat, calls, AI, and reports | Browser or mobile app | Short-lived and scoped. |
| Server API key | Backend token exchange, contacts, reports, webhooks | Customer backend only | Secret and never shown to frontend/mobile. |
| OAuth/OIDC token | Login with Ringnity identity and SSO | External app backend or trusted OIDC plugin | Proves user identity, not SDK runtime access. |
Backend token guide
Create short-lived runtime tokens from a customer backend without exposing Server API keys.
Login with Ringnity
Use OAuth2/OIDC when an external app needs Ringnity identity login or SSO.