Inboarddocs

Security

How Inboard protects customer data, embed keys, and your account.

This page covers the security model behind the Inboard widget and API. For our written policies (DPA, sub-processors, breach notification), see inboard.dev/legal.

Embed keys vs account keys

The widget loads with an embed key — a public, read-only token scoped to a single install template. Embed keys:

  • Are safe to expose in the browser, in source control, and in customer-facing HTML.
  • Grant read access only to the template, its steps, variables, and assets.
  • Can be rotated from the dashboard at any time (rotating issues a new key; the old key remains valid for 24 hours so you have a window to update embeds).

Account API keys are write-scoped secrets used for admin operations. They:

  • Must never be exposed in client-side code.
  • Grant full read/write access to the issuing account.
  • Should be rotated immediately if leaked. Old keys are revoked instantly.

Variable handling

Variable typeStored on Inboard servers?Sent over the network?
string / url / domain / emailOnly if the customer types them and you've enabled analytics for that variableYes, in GET /v1/guides requests when pre-filled, and in event payloads if you opt in
secretNeverNever leaves the browser — substituted into the rendered guide client-side

If you're prompting customers for credentials (API keys, tokens), define those variables as secret. The widget enforces the no-network rule and the dashboard prevents you from referencing secret variables in analytics or webhook payloads.

Content Security Policy

If your site uses CSP, allow the widget origin:

script-src 'self' https://app.inboard.dev;
connect-src 'self' https://api.inboard.dev;
img-src 'self' https://cdn.inboard.dev data:;
style-src 'self' 'unsafe-inline';

The widget needs style-src 'unsafe-inline' to inject its Shadow DOM stylesheet. Nothing outside the Shadow DOM is styled, so this scoped exception is safe.

Cross-origin and iframes

The widget runs in the host page's main document (not an iframe), so it has access to the page's URL — needed for auto-detection. If you'd rather isolate it in an iframe, set data-iframe="true" on the script tag; the widget then mounts inside a sandboxed iframe and uses postMessage for callbacks.

IP and geo

For abuse detection and rate limiting, Inboard captures the IP address on every API request:

  • Full IP is retained for 60 days, then truncated to the network prefix (/24 for IPv4, /48 for IPv6).
  • Coarse geo (country + region) is retained indefinitely for analytics.

You can disable IP capture entirely on the account level — analytics will lose location dimensions but still count events.

Reporting a vulnerability

Email security@inboard.dev with reproduction steps. We respond within one business day. Please don't open a public GitLab issue for security reports.

We don't have a paid bug bounty yet — we offer credit and a thank-you in the security acknowledgements page.

On this page