flowyte_pk_…) — a browser-safe key scoped to a single agent, locked to an origin
allowlist, and limited to the chat:public capability so it can never read tenant data. You
mint the key with your secret key, then paste a loader snippet. All paths are relative to
https://builder.flowyte.com/api/v1.
What you’ll use
| Action | Endpoint | Scope |
|---|---|---|
| Mint a publishable key | POST /agents/{id}/publishable-keys | pubkeys:write |
| Get the embed snippet | GET /agents/{id}/widget/embed | widgets:read |
| Customize theme / copy | PUT /agents/{id}/widget | widgets:write |
| Rotate the key | POST /agents/{id}/publishable-keys/{id}/rotate | pubkeys:write |
| Revoke the key | DELETE /agents/{id}/publishable-keys/{id} | pubkeys:write |
Mint a publishable key
allowedOrigins is the allowlist of sites that may use this key. Match each origin exactly —
scheme + host (+ port). Include both the apex and www if you serve both. Set rateLimitRpm
to bound abuse. The full key is returned in keyPublic (it’s public, so it isn’t show-once).Get the embed snippet
Pass the key’s
publishableKeyId to get the loader. The response carries scriptSnippet and
the publishableKey to drop into your page.Paste it on your site
Copy the exact The widget loads its theme and copy from a public bootstrap call — no secrets in the browser.
scriptSnippet returned above into your page, just before </body>. It looks
like a single async loader tag carrying your publishable key:A request from an origin that isn’t on the allowlist is rejected with 403 — add the exact
origin and try again. To roll a key without changing the agent or origins, use rotate (it
keeps a short grace window); use revoke to kill it immediately.