Security

Public IDs on the client. Authority on the backend.

The widget uses public identifiers in the browser, while the backend remains the source of truth for credits, sessions, and store state.

Client-safe identifiers

The storefront only receives public identifiers required for widget initialization.

Backend validation

Store state, credits, device usage, and protected actions are verified on the backend.