Security & Policies

Every Rover site key is locked to a set of allowed domains. When the embed script initializes, it checks the current hostname against the key's domain list. If there's no match, Rover refuses to boot and logs a warning.

Standard Rover installs do not expose owner-selected navigation policies. Rover opens outside-domain pages in a new tab with notice, keeps same-host work in the current tab unless a link explicitly asks for a new tab, and chooses the right tab automatically for allowed-host hops.

Unlike screenshot-based agents that run in a remote VM, Rover executes directly in the user's browser tab. This means:

• 1.No user credentials leave the browser. Rover acts as the user, within the user's existing authenticated session.
• 2.Rover can only interact with DOM elements that are visible and accessible to the current user.
• 3.All actions are subject to the same CORS, CSP, and browser security policies as your own JavaScript.
• 4.No screenshots or page content are sent to external servers — only the semantic DOM structure.

Agent analytics runtime writes and owner analytics do not share the same trust path.

• 1.Site-tag Agent analytics writes are authenticated by signed Rover session claims, not by raw browser-supplied site IDs.
• 2.Agent analytics Workspace reads and launch/settings writes require owner Firebase auth plus site ownership checks.
• 3.Webhook secrets and auth material are stored privately by owner + site and are not returned in public site config.

Rover distinguishes between who owns a site and which agent visited it.

External tabs are tracked with virtual tab IDs, URL, and title. Rover cannot directly control live DOM outside the embedded domain.

If enabled, Rover can request best-effort cloud text context for external tabs usingtools.web.enableExternalWebContext. Access is still subject to domain allow/deny rules and account credits.

Navigation-only external steps use open-only handling (tracked via POST /command with type='TAB_EVENT' + placeholder tabs). Context/action fetches are routed through /v2/rover/context/external withread_context or act intent.

When cloud fetch fails or is blocked by allow/deny policy, Rover falls back to placeholder context and continues.

Rover uses a Shadow DOM (not an iframe) to render its UI, which means it runs in your page's security context. If you have a strict CSP, add the following directives:

For environments with strict CSP that cannot allow external script domains, you can self-host the SDK and worker files on your own domain and set workerUrl in your boot config. See the self-hosting guide for details.

Site keys can be rotated, disabled, and domain-scoped from the Workspace without redeploying your site:

• Replace — generates a new key with the same configuration. Old key is immediately invalidated.
• Disable/Enable — toggle key access without deleting it.
• Update domains — change the allowed domain list in real time.
• TTL — keys can be set to auto-expire after 30, 90, 180, or 365 days.

Capability flags are enforced server-side for cloud APIs:roverEmbedfor Rover embed runtime requests andcloudAgentandcloudScrapefor cloud MCP/direct APIs.

Site owners get siteId, publicKey, and optional siteKeyId from Workspace for installation. External AI callers using POST https://agent.rtrvr.ai/v1/a2w/runs or chatbot GET execution do not need those values. Public GET targets must still be HTTPS, outside local/private host ranges, inside the site scope, and allowed by aiAccess.

Site keys require an active subscription with available credits. Check your credit balance in the Workspace.