Flex Webchat 3.x.x is currently available as a public beta product and the information contained in this document is subject to change. This means that some features are not yet implemented and others may be changed before the product is declared as generally available. Public beta products are not covered by a Twilio SLA.
Not a HIPAA Eligible Service
Webchat 3.x.x is not a HIPAA Eligible Service and should not be used in workflows that are subject to HIPAA.
This page applies to Webchat 3.x.x. If you are using Webchat 2.0, see the Webchat 2.0 overview instead.
Webchat 3.x.x includes enhanced security measures:
To add Webchat 3.x.x to your website, you create a randomly generated deployment key and map it to a chat address in Twilio Console. When you deploy Webchat 3.x.x, your account information is shielded, because only your deployment code is used. If you ever feel like your deployment key might have been compromised, you can replace it with a new deployment key and chat address.
When a user begins a webchat session, Webchat 3.x.x records the fingerprint of that browser and device based on a number of characteristics. For details about the specific characteristics that Flex uses to create a fingerprint, contact our support team.
With every chat message that Flex UI receives, that fingerprint is verified. This means that the chat session can't be hacked, spoofed, or intercepted without being detected.
In your deployment key settings, you can specify up to 10 trusted URLs as allowed origins where your customers can initiate a chat. Chat sessions are only accepted from those trusted URLs. By setting these values, you ensure that your chat widget can't be deployed on other websites.