I am building a chatbot-as-a-service using vercel ai sdk where clients can set up a chatbot and get an <iframe> code to embed on their website. The problem is that anyone can copy this <iframe> code and use it on their own site.

Even if I set up CORS, request headers can be modified before sending the request, making it possible to bypass restrictions. What’s the best way to securely allow only authorized websites to use the chatbot?