Authentication
How authentication works for the dashboard and the widget.
Dashboard Authentication (BFF Pattern)
The Raasie dashboard uses a Backend-for-Frontend (BFF) authentication pattern for maximum security. Your browser never sees JWT tokens directly:
1. You submit your credentials to the Next.js server 2. The server forwards them to the Raasie Gateway, which validates and returns JWT tokens 3. The server stores the tokens in HttpOnly cookies (inaccessible to JavaScript) 4. On subsequent requests, the server reads the cookie and adds the Bearer token to API calls
Widget Authentication (API Keys)
The widget uses API key authentication directly with the Raasie Gateway. Each website has its own API keys:
- Keys are passed via the `data-key` attribute on the script tag - The Gateway validates the key and identifies the associated website - All requests from the widget are scoped to that website's knowledge bases
<script src="https://raasie.com/widget.js" data-key="rk_live_abc123"></script>API Key Security
API keys are designed to be used in client-side code (they're visible in your page source). They provide:
- Read-only access — Widget keys can only query knowledge bases and create conversations - Rate limiting — Enforced per key to prevent abuse - Domain validation — Keys can be restricted to specific domains (Enterprise)
Keys cannot modify your knowledge base, access other websites, or perform admin operations.
Service-to-Service Authentication
Raasie's internal microservices communicate using an internal service secret (`X-Service-Secret` header). This is separate from user authentication and ensures that only authorized services can make internal API calls. You don't need to worry about this — it's handled automatically.