Security for Web Messenger Guest API (WebSocket)

Hello - my team is transitioning off of using the Web Chat Guest APIs, and transitioning to using the Web messaging Guest API. As I examine the documentation for the Web messaging Guest API, i had a security-related question.

Do I really only need a deploymentId to be able to make send and receive messages on behalf of my Genesys Cloud organization?

With the Web Chat Guest API, I initiate the web socket connection by calling a REST API that generates a unique (I assume) wss:// url, thus providing some layer of security for the discoverability of the URL necessary to establish a web socket connection, but it seems like there only exist the static URLs for the Web Messenger version.

I just want to validate that I'm understanding this correctly, and that this is Genesys' recommended pattern. I have some concerns about the static deploymentId guid being the only layer of security for establishing a connection with my web messenger deployment.

Hello, and thank you for your interest in web messaging
deploymentId is needed but is not the only way to restrict access
I suggest you to enable domain restriction for your messenger deployment (read more about that Deploy Messenger - Genesys Cloud Resource Center )

Under Restrict domain access, determine whether to allow all domains or restrict the domains on which you want to deploy the snippet.  

    To allow all domains, select the Allow all domains option. Use this option for testing and development purposes.
    To restrict domains, enter a domain and click Add Domain. You can add multiple domains to the list. Restrict domains to prevent unauthorized usage of your snippet from unknown domains. If you restrict a domain, then Messenger does not run on that website and rejects API requests from that domain.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.