Security & Access Control
Rate limiting, signed widget sessions, and origin allowlisting for the widget and hosted page.
Open Dashboard → Agents → your agent → Security to control how the public widget and hosted page can be used. These settings only apply to widget/hosted-page traffic — not to the dashboard playground, which is already behind your login session.
Rate limiting
Protects against abuse of the unauthenticated widget/hosted-page chat endpoint.
| Setting | Default |
|---|---|
| Enabled | On |
| Max messages | 20 |
| Window | 240 seconds |
| Cooldown after limit reached | 300 seconds |
| Limit-reached message | "Too many messages in a row" |
Rate limiting is on by default for every agent, because widget traffic isn't authenticated. You can tune the thresholds or the message shown to visitors, but turning it off entirely is not recommended for a publicly embedded agent.
Signed embed sessions
| Setting | Default |
|---|---|
| Require signed widget session | On |
| Session TTL | 900 seconds (15 minutes) |
When enabled, the widget/hosted-page frontend must present a short-lived, signed session token with every chat request. This prevents someone from scripting requests directly against your chat endpoint from outside your allowed origins.
Allowed origins
An allowlist of domains permitted to embed the widget or load the hosted page, for example:
example.com
*.example.com
app.example.com
Wildcards like *.example.com match any subdomain. An empty allowlist blocks all
third-party origins — your own Mozo app origin is always implicitly allowed so hosted pages
and previews keep working, but every other domain you want to embed on must be added
explicitly.
If a newly embedded widget doesn't load on a new domain, this allowlist is the most common cause. Add the domain (or a wildcard covering it) and reload.
Resetting to defaults
The Security page has a Reset to defaults action that restores the values above if you've changed something and want to start over.