Widget API Key Changes When Modifying JWT Settings in Widget
under review
V
Vijay Sakthivel
When editing a widget, toggling the JWT option (enable or disable) causes the widget JavaScript to update immediately and regenerates a new API key, even when no explicit save action is performed. This behavior can result in the widget returning 401 Unauthorized errors in production environments if the newly generated API key is not updated in the embedded widget code.
Additionally, API key regeneration triggered by this action is not recorded in Team Auditing logs. Currently, audit entries are created only when changes are followed by an explicit save action, which makes it difficult for customers to track when and why an API key was changed. Improving visibility and consistency around API key changes would help customers manage widget integrations more reliably and avoid unexpected production issues.
Log In
Mohamed Shakheen
marked this post as
under review
Mohamed Shakheen
Hi Rose quartz Dormouse
Thank you for reporting this behavior in detail.
We understand the concern regarding the widget JavaScript updating immediately and regenerating a new API key when the JWT option is toggled, even without an explicit save action. We also acknowledge the impact this can have in production environments if the regenerated API key is not reflected in the embedded widget code.
Additionally, we note your observation about the API key regeneration not being captured in the Team Auditing logs.
Based on this feedhback, we will evaluate the appropriate scenario.
Thank you for highlighting this scenario and providing detailed context.
V
Vijay Sakthivel
Raised on behalf of Rose quartz Dormouse