If you connect your own AI provider key to Helpdesky, it is natural to worry that visitors could hammer it and run up a big bill. The good news: rate limiting is built into Helpdesky to protect that key, and your key is never exposed to the browser or to your visitors. Here is exactly how we keep your AI API key safe and your costs predictable.
What rate limiting is and why we use it
Rate limiting caps how many requests a single visitor can make in a short window of time. Think of it as a speed limit for traffic hitting your help center. It stops one person, or a bot, from firing thousands of requests in a minute and overwhelming your help center or your AI provider.
Every public Helpdesky feature is protected this way. Limits are applied per visitor IP address, so a normal visitor reading articles and asking a question or two never notices them. They only kick in when traffic starts to look abusive.
Your AI key is never exposed
When you add an AI provider key, such as OpenAI, Anthropic, or Google, Helpdesky treats it as a secret from the moment you save it:
- Encrypted at rest. Your key is encrypted in our database, so it is never stored as plain text.
- Masked in the dashboard. Anywhere your key appears in settings, you only see the last few digits, like
••••1234. The full value is never shown again after you save it. - Used only on our servers. The key lives server side. It is never sent to the browser, baked into the widget code, or visible to your visitors in any way.
This means that even someone inspecting your widget code or network traffic cannot read your key.
How AI requests actually flow
A common worry is that the Ask AI feature in the widget calls your provider straight from the visitor's browser. It does not.
Here is what actually happens when a visitor asks a question:
- The question goes to Helpdesky's server, not to OpenAI or any other provider.
- Helpdesky runs the search across your articles and builds the prompt.
- Helpdesky calls your AI provider using your key, from our server.
- The answer comes back to Helpdesky and is then shown to the visitor.
Because every AI request passes through Helpdesky first, all of that traffic is gated by our rate limits before it ever reaches your provider. You can learn more about this feature in Ask AI in the Widget.
The limits that protect your AI usage
These are the limits that affect a visitor interacting with your help center:
- Ask AI: 10 requests per minute per visitor. This is the one that directly protects your AI provider key and your spend.
- Search and config: 60 requests per minute. Covers loading the widget and searching your articles.
- Widget chat messaging: 20 requests per minute. Covers sending messages through the widget.
- Ticket Center: 10 requests per minute. Covers the embedded Ticket Center.
If a visitor goes over a limit, they simply get a friendly message asking them to slow down, and the request is rejected before any AI call is made.
Add your own provider limit as a safety net
Defense in depth means layering protections so that if one ever fails, another still has you covered.
Helpdesky's limits do the heavy lifting, but we strongly recommend setting your own usage or spend limit directly in your AI provider dashboard as a second layer of protection. For example, OpenAI lets you set a monthly usage cap and email alerts under your billing settings.
Why bother if Helpdesky already limits traffic? A hard cap on your provider account protects you no matter what. It is the same logic as keeping a spare key: you hope you never need it, but you are glad it is there. Pick a monthly budget you are comfortable with and you will never face a surprise bill.
Start using AI with confidence
Ready to turn on AI answers for your visitors? Open your widget settings, connect your provider key, and let your help center start answering questions on its own. Your key stays private, your costs stay capped, and your visitors get instant help.