Goldilocks Docs
Settings

Security Settings

Manage API keys, domain restrictions, and security configurations

Security Settings help you protect your Goldilocks account and control access to your widget and API.

Accessing Security Settings

  1. Go to Settings
  2. Click Security (or find in account settings)

API Keys

Your API Key

Your API key is used to:

  • Authenticate the widget on your site
  • Make API calls (if using the API)
  • Identify your account

Viewing Your Key

  1. Go to Settings > Security
  2. Find API Keys section
  3. Click to reveal key

Keep your API key secure. While it's designed to be used in client-side code, you should still limit exposure and use domain restrictions.

Regenerating Keys

If your key is compromised:

  1. Go to API Keys section
  2. Click Regenerate Key
  3. Confirm the action
  4. Update your widget embed code
  5. Old key stops working immediately

Multiple Keys

Enterprise accounts can have multiple keys:

  • Different keys for different environments
  • Separate keys for testing/production
  • Track usage per key

Domain Restrictions

What Are Domain Restrictions?

Domain restrictions limit where your widget can be loaded. Only websites on your approved list can use your widget.

Why Use Them?

  • Prevent unauthorized use
  • Block scrapers and bots
  • Ensure widget only on your sites

Adding Domains

  1. Go to Settings > Security
  2. Find Allowed Domains
  3. Click Add Domain
  4. Enter domain (e.g., yoursite.com)
  5. Save

Domain Format

EntryWhat It Allows
yoursite.comyoursite.com and www.yoursite.com
*.yoursite.comAll subdomains
app.yoursite.comOnly that subdomain

Local Development

For development, add:

localhost
127.0.0.1

Or disable restrictions during development (not recommended for production keys).

Testing Restrictions

After adding restrictions:

  1. Try loading widget on allowed domain ✅
  2. Try loading on non-allowed domain ❌
  3. Verify behavior matches expectations

Two-Factor Authentication

Enable 2FA

Add an extra layer of security:

  1. Go to Settings > Security
  2. Find Two-Factor Authentication
  3. Click Enable 2FA
  4. Scan QR code with authenticator app
  5. Enter verification code
  6. Save backup codes

Authenticator Apps

Compatible apps:

  • Google Authenticator
  • Authy
  • 1Password
  • Microsoft Authenticator

Backup Codes

After enabling 2FA, save backup codes:

  • 10 one-time use codes
  • Use if you lose your device
  • Store securely (password manager)

Require 2FA for Team

Admins can require 2FA for all users:

  1. Go to Settings > Security
  2. Enable Require 2FA for all users
  3. Users must set up 2FA on next login

Session Security

Session Timeout

Configure how long sessions last:

SettingDuration
Short1 hour
Standard24 hours
Extended7 days

Shorter timeouts are more secure but less convenient.

Active Sessions

View and manage active sessions:

  1. Go to Settings > Security
  2. Find Active Sessions
  3. See all logged-in devices
  4. Click Revoke to log out a session

Log Out Everywhere

To log out all sessions:

  1. Go to Settings > Security
  2. Click Log Out All Sessions
  3. All sessions terminated (including current)
  4. Must log in again

Audit Logs

What's Logged

Security-relevant actions are logged:

  • Login attempts (success/failure)
  • Password changes
  • Role changes
  • API key regeneration
  • Settings changes

Viewing Logs

  1. Go to Settings > Security
  2. Find Audit Log
  3. Browse or filter entries

Log Entry Details

Each entry shows:

  • Action - What happened
  • User - Who did it
  • Time - When it happened
  • IP Address - Where from
  • Details - Additional context

Exporting Logs

Download logs for review:

  1. Set date range
  2. Click Export
  3. Download CSV or JSON

Data Security

Encryption

Your data is protected by:

  • In transit - TLS 1.3 encryption
  • At rest - AES-256 encryption
  • Backups - Encrypted backup storage

Data Location

Data is stored in:

  • Primary: [Region]
  • Backups: [Backup region]

Enterprise customers can specify data residency.

Data Retention

How long data is kept:

Data TypeRetention
ConversationsBased on plan (30-365 days)
Analytics12 months
Audit logs12 months

Data Deletion

Request data deletion:

  1. Contact support
  2. Specify what to delete
  3. Deletion processed within 30 days

Or delete your entire account in account settings.

Best Practices

Key Management

  • Regenerate keys periodically
  • Use different keys for different environments
  • Don't commit keys to version control

Domain Restrictions

  • Always use in production
  • Review allowed domains regularly
  • Remove unused domains

Team Security

  • Require 2FA for all admins
  • Use least-privilege roles
  • Review access quarterly

Incident Response

If you suspect a breach:

  1. Regenerate API keys immediately
  2. Force logout all sessions
  3. Review audit logs
  4. Change passwords
  5. Contact support if needed

User Management

Invite team members and manage permissions

Developer Guide

Technical documentation for integrating Goldilocks

On this page

Accessing Security SettingsAPI KeysYour API KeyViewing Your KeyRegenerating KeysMultiple KeysDomain RestrictionsWhat Are Domain Restrictions?Why Use Them?Adding DomainsDomain FormatLocal DevelopmentTesting RestrictionsTwo-Factor AuthenticationEnable 2FAAuthenticator AppsBackup CodesRequire 2FA for TeamSession SecuritySession TimeoutActive SessionsLog Out EverywhereAudit LogsWhat's LoggedViewing LogsLog Entry DetailsExporting LogsData SecurityEncryptionData LocationData RetentionData DeletionBest PracticesKey ManagementDomain RestrictionsTeam SecurityIncident Response