Widget token

The widget token is a public identifier embedded in your widget snippet. Pegasus uses it to route incoming visitor requests to the correct bot. It is intentionally readable in your website source — security comes from allowed origins, not from hiding the token.

Viewing the token#

The token is shown in the Embed tab under "Widget token". Click Copy token to copy it to your clipboard.

Widget token row with copy and rotate buttons

Rotating the token#

Rotation invalidates the current token and generates a new one. Anyone using the old token (i.e., anyone with your old snippet) will be cut off — but with a 2-hour grace period for active visitor sessions so live conversations don't drop mid-message.

When to rotate#

• You think the token has been misused outside your intended sites (despite origin restrictions).
• You're handing off site management and want a fresh credential.
• As scheduled hygiene on a high-stakes deployment.

How to rotate#

1. Click Rotate next to the token

   A confirmation modal appears explaining the impact.

2. Confirm

   Pegasus generates a new token. The Embed Code section updates automatically.

3. Update your website

   Copy the new snippet and replace the old one on your site. Active sessions stay alive for up to 2 hours so existing visitors keep working.

Toast feedback#

• Success: "Token rotated. Update your embed snippet."
• Failure: "Failed to rotate token."

Don't share the token externally#

While the token is technically public, treating it carefully is good practice. If you put it in places where it's harder to associate with your domain (e.g., posting it in a Stack Overflow question), someone could try to use it from an unrelated site. Strict allowed-origin rules prevent the abuse, but rotating is the cleaner response.