No-authentication widget mode
authType: "none" lets the widget connect with only a userId and userEmail, with no server-side identity verification. It’s the fastest way to wire up the widget while building — and a serious foot-gun in production.
TL;DR
authType: "none"skips token verification entirely.- Use it for local development, demos, hackathons, internal sandboxes — never production.
- Migrate to
backendToken,firebase, orPubliclySignedJwtbefore shipping.
Setup
- React
- Angular
- Vanilla JS
Required fields
| Field | Type | Description |
|---|---|---|
authType | 'none' | Mandatory literal. |
userId | string | The user’s unique identifier — used as the inbox key. |
userEmail | string | The user’s email address. |
When to use
none mode is appropriate for:
- Local development — the fastest way to test the full track → orchestrator → widget loop without setting up backend token generation or Firebase.
- Demos and hackathons — when you need a working widget in five minutes.
- Internal sandboxes behind your VPN — when the threat model is “honest insiders only”.
- Anything customer-facing.
- Anything where the inbox content is sensitive (transactional, financial, health, …).
- Anything connected to a production-shaped database.
Migrating to production
Pick a real auth mode before going live:Backend tokens
Recommended if you have your own auth system.
Firebase
Zero backend work if you already use Firebase Auth.
Publicly-signed JWT
Auth0, Clerk, Cognito, Supabase Auth — dashboard-configured.
Authentication overview
The four-mode comparison.
authType and pass token), plus whatever backend setup the new mode requires.
FAQ
Is `none` mode disabled in production environments?
Is `none` mode disabled in production environments?
Not enforced server-side — the backend accepts
none mode regardless of environment. The protection is conventional: don’t use it in production. Some teams add a CI/lint rule that fails the build if authType: "none" ships to a production-tagged config.What stops a malicious actor from impersonating a user in `none` mode?
What stops a malicious actor from impersonating a user in `none` mode?
Nothing — that’s exactly the trade-off. The Front API Key plus a
userId is enough to read that user’s inbox. If your API Key leaks (it’s a public key by design, embedded in your frontend bundle), none mode means anyone can browse any user’s notifications.Can I scope `none` to a specific environment via separate API keys?
Can I scope `none` to a specific environment via separate API keys?
Yes — and you should. Use a dev-only Front API Key in your dev environment with
none mode allowed; use a prod Front API Key with only firebase / backendToken / PubliclySignedJwt strategies wired in the dashboard. The keys are environment-scoped, so a leaked dev key only reveals the dev inbox.The widget seems to work in `none` — why bother with the others?
The widget seems to work in `none` — why bother with the others?
Because it’s only the local widget that “works” — there is no server-side identity check, so the connection is wide open. Production usage means the inbox is owned by an attacker the moment they discover the API key.
What does `userEmail` do in `none` mode?
What does `userEmail` do in `none` mode?
It’s used for display purposes inside the widget (the dropdown header sometimes shows the email). It is not verified against anything. The orchestrator can still target by
userId, so passing a wrong email doesn’t break delivery — just display.See also
Authentication overview
The four-mode model and when to pick each.
Frontend quickstart
Render the widget in five minutes.