Magento AI Support
Back to hub Login Create account

Security posture

Security controls in Lite

Transport + validation

  • HTTPS local domains and strict Origin/Referer allowlist.
  • Signed requests with timestamp + nonce anti-replay.
  • Payload size and message length guardrails.

Abuse protection

  • Rate limiting per IP/session/shop day/hour.
  • Optional captcha gate on first message.
  • Concurrent request cap and Magento circuit breaker.

Key handling

  • OpenAI and integration tokens encrypted server-side.
  • Secrets never shipped to browser except temporary widget session token.
  • No secrets written to logs.

Disable controls

  • Global kill switch with maintenance message.
  • Per-shop enable/disable in merchant portal.
  • All widget APIs return 503-friendly JSON when disabled.