Rasa REST API security concerns


I’d like to use Rasa with my own chat widget. I used REST API and it works fine. Now I am concerned about security - since REST API needs to be exposed to outside world to enable exchanging messages between my widget and Rasa, it is now open to anyone who might use API to manipulate my chatbot.

Maybe I missed something in docs, but I couldn’t find a way to only expose part of the API needed to chat, not other stuff used for administration etc.

If you are also using REST API, how to you protect yourselves?

Thank you.


Hi @lotcz, the HTTP API requires an authentication token to make requests for things like pushing model updates & other admin changes, which you can figure like this.

For handling communication between your widget and Rasa, using the Rest input channel would not require any authentication and would only allow message data to be exchanged via this endpoint.

Hello Karel, I am actually planning to create a RASA bot that does NOT require authentication and using REST. Can you point me to any docs showing how to do it. Best regards R