Prevent unauthorized access via url

The bot is public by design. If you need to restrict where it can be executed, go to Settings, under the Security section you can specify the allowed origin there

I see, understood. Thanks for your response.

Yeah, allow origin helps but it does not restrict someone from directly accessing it via the typebot viewer URL (using apiHost and typebot ID) if I understand correctly.
I guess the best way for now is to do it directly in the build-app itself through a token variable, passing it to prefilledVariables and do some check.

Found an issue for this: https://github.com/baptisteArno/typebot.io/issues/1812

One way to make it more difficult for someone to copy the Typebot ID and access it via the Typebot viewer URL would be to obfuscate the ID with recursive multiple-arguments self-calling functions, so that the "end" ID wouldn't appear directly in the script tag.

Another way I can think of and that requires you to have full control over your website (frontend and backend) could be to call a server-side function (or a similar server-side solution) as the value of typebot in:

I am not entirely sure the expected behavior would happen with the specific way I mentioned it, but I suspect a potential solution with server-side rendering.

Maybe even an extra Custom HTML Element on top of <typebot-standard>, with a server-side function call to retrieve the Typebot ID without exposing it in the final parent Custom HTML Element?
It could break the Typebot displayed to the user, but if it works, I suppose it's worth the try.

I'm still learning, so I'm curious to know if any of my suggestions doesn't make sense from a technical point of view.

Yes I'd like to prevent it to work from typebot public URL if Allowed origins isn't empty