Enable the widget
Turn on embed for a bot and copy the snippet onto your site.
The embed widget lets website visitors chat with one of your bots without creating a Pegasus account. You paste one snippet into your site and Pegasus renders a chat bubble in the bottom-right corner.
What visitors and owners should expect
When a visitor opens the widget, Pegasus creates an anonymous visitor session. Visitors do not sign in, and today the workspace owner sees widget traffic only in aggregate usage analytics rather than full widget-chat history.
The bot owner controls:
| Setting | Where |
|---|---|
| Enable or recreate the widget | Bot detail -> Embed tab |
| Copy the snippet | Bot detail -> Embed tab |
| View or rotate the widget token | Bot detail -> Embed tab |
| Allowed origins list | Bot detail -> Embed tab |
| Whether the bot is in READY status | Bot detail page |
The widget is available on Free, Pro, and Ultra plans. Higher plans allow more widget traffic.
Prerequisite
The bot must be in READY status before you enable the widget. If it is not ready yet, train it first.
Enable the widget
Open the bot's Embed tab
On the bot detail page, switch to the Embed tab.
Click Enable Embed Widget
Pegasus generates a widget configuration, including a widget token. The status changes from Inactive to Active.
Copy the snippet
The Embed Code section now shows the widget snippet. Click Copy snippet.
Paste it into your website
Put the snippet inside
<body>on any page where you want the chat bubble. Most sites add it once in a shared layout or template.Reload the page
The chat bubble appears in the bottom-right corner. Click it to test.
If enabling fails, Pegasus shows "Failed to enable the embed widget." Retry after confirming the bot is still READY.
What the snippet contains
The snippet is a <script> tag that loads the Pegasus widget JavaScript and includes the widget token. No other secret is exposed.
The token is intentionally public because it identifies the bot to the widget runtime. Real protection comes from origin restrictions, not from hiding the token in page source.
Widget token and rotation
The widget token is shown in the Embed tab under "Widget token". Use Copy token if you need the raw value.
When to rotate the token
Rotate the token when:
- You suspect the snippet is being used on an unintended site.
- You are handing off website ownership and want a fresh credential.
- You are following a regular security hygiene process.
How rotation works
Rotation invalidates the old token and creates a new one. Active visitor sessions get a 2-hour grace period, so live conversations do not drop mid-message, but any new page load must use the new snippet.
Click Rotate next to the token
A confirmation modal explains the impact.Confirm
Pegasus creates a new token and updates the Embed Code section.Update your website
Copy the fresh snippet and replace the old one on your site before the grace window ends.
Toast feedback:
- Success: "Token rotated. Update your embed snippet."
- Failure: "Failed to rotate token."
Even though the token is public, treat it carefully. If it appears in unrelated places, rotate it and tighten your allowed-origin rules.
Allowed origins
The widget can run in any browser that loads your snippet. To limit usage to your websites, configure Allowed Origins.
How matching works
An origin is the protocol + domain + optional port, such as:
https://example.comhttps://app.example.comhttp://localhost:3000
Matching is exact. https://example.com does not automatically include https://www.example.com.
Add or remove an origin
Open Allowed Origins
Go to the Embed tab for the bot.Enter the full origin
Use the full URL with protocol. Invalid values show "Enter a valid URL (e.g. https://example.com)".
Click Add
The origin appears in the list immediately.
Click the trash icon to remove an origin. Removal takes effect immediately for new sessions.
Empty list means no restriction
If the list is empty, Pegasus shows "No restrictions - any domain can load this widget." That is acceptable for testing, but not recommended for production.
Local development and wildcard limits
- Add
http://localhost:3000or your actual local port for development. - Do not rely on
file://pages; use a real local web server. - Wildcards such as
*.example.comare not supported today, so list each subdomain explicitly.
Existing sessions after an origin change
If you remove an origin, active visitor sessions on that origin may finish their current message, but they cannot start new sessions.
After enabling
Once the widget is live, you can rotate the token, lock down origins, or later delete and recreate the widget config if you need a hard reset.