Security & Access Control

Rate limiting, signed widget sessions, and origin allowlisting for the widget and hosted page.

Open Dashboard → Agents → your agent → Security to control how the public widget and hosted page can be used. These settings only apply to widget/hosted-page traffic — not to the dashboard playground, which is already behind your login session.

Rate limiting

Protects against abuse of the unauthenticated widget/hosted-page chat endpoint.

SettingDefault
EnabledOn
Max messages20
Window240 seconds
Cooldown after limit reached300 seconds
Limit-reached message"Too many messages in a row"

Rate limiting is on by default for every agent, because widget traffic isn't authenticated. You can tune the thresholds or the message shown to visitors, but turning it off entirely is not recommended for a publicly embedded agent.

Signed embed sessions

SettingDefault
Require signed widget sessionOn
Session TTL900 seconds (15 minutes)

When enabled, the widget/hosted-page frontend must present a short-lived, signed session token with every chat request. This prevents someone from scripting requests directly against your chat endpoint from outside your allowed origins.

Allowed origins

An allowlist of domains permitted to embed the widget or load the hosted page, for example:

Code
example.com
*.example.com
app.example.com

Wildcards like *.example.com match any subdomain. An empty allowlist blocks all third-party origins — your own Mozo app origin is always implicitly allowed so hosted pages and previews keep working, but every other domain you want to embed on must be added explicitly.

If a newly embedded widget doesn't load on a new domain, this allowlist is the most common cause. Add the domain (or a wildcard covering it) and reload.

Resetting to defaults

The Security page has a Reset to defaults action that restores the values above if you've changed something and want to start over.