Security
We invite you to consider security at Fogbender from two perspectives: organizational security and product security. Organizational security covers aspects like ensuring engineers don’t manage cleartext passwords in the codebase and that database backups are stored in encrypted form. Product security focuses on questions such as, “Why can’t user Alice impersonate user Bob in a customer support conversation?”
#Organizational security
Fogbender is SOC 2 Type I-certified. To learn more, please visit https://fogbender.com/security.
#Product security
If you’ve built a SaaS product, you’ve likely put significant effort into user authentication—whether by using a service like Clerk, PropelAuth, or SuperTokens, or by going all in and rolling your own.
Whenever your user opens a Fogbender messaging widget, our challenge is to securely relay their identity—confirmed by your application’s authentication—to the Fogbender backend.
We do this by providing your backend with a never-to-be-published secret (available in https://fogbender.com/admin/-/-/settings/embed). Your backend then uses this secret to sign a JWT containing a set of claims you provide about the user—id
at minimum, but optionally name
, email
, customerId
, and more.
This JWT is then set as the userJWT
value when assembling a Fogbender token, which is used to instantiate the widget:
import { FogbenderSimpleWidget } from "fogbender-react";
const token = { widgetId: "dzAwNjg4NDY0NjI4NzgyNDY5MTIw", userJWT: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2...", customerId: "C256434", customerName: "Netflix", userId: "U234328", userEmail: "alice@netflix.com", userName: "Alice Chesterton",};
<FogbenderSimpleWidget token={token} />
Let’s map this out one more time as a list and a sequence diagram:
- Your user (Alice) asks your backend to sign her into your [web] application
- Your backend signs Alice in after agreeing that her credentials look good
- While rendering the support widget, your application asks your backend for a
userJWT
for Alice - Your backend calls Fogbender’s
/signatures
API (or uses a crypto library) to generate a JWT with Alice’s details—known from the session; this call is secured (viaAuthentication
header) by the secret shared between Fogbender and your backend - Fogbender returns a JSON object that looks like
{ "signatures": { "userJWT": ... }}
- Your backend returns the value of
userJWT
to your application - Your application constructs a Fogbender token and uses it render the support widget for Alice