agents
latest
false
UiPath logo, featuring letters U and I in white

Agents user guide

Last updated Feb 19, 2026

Anonymous access setup

Overview

Anonymous access allows you to embed conversational agents for users who don't have UiPath accounts. This is useful for customer-facing applications, public portals, or any scenario where you want users to interact with your agent without requiring UiPath authentication.

Anonymous access requires:

  1. A confidential external application configured in UiPath Admin
  2. A token endpoint hosted by your organization to handle authentication
  3. An embedded agent URL configured with the authentication parameters
Warning:

Confidential app-scoped external apps allow anonymous access without user authentication. Carefully configure permissions to prevent unintentional data access. We highly recommend gating anonymous agents behind your own portal or login to mitigate abuse.

Intended users: Users who need to access conversational agents without an Automation Cloud account.

Prerequisites

Before starting, ensure you have:

  • A published conversational agent in Orchestrator.
  • Organization admin access to the UiPath Admin portal.
  • Infrastructure to host a serverless function or API endpoint (for example, AWS Lambda, Azure Functions, Google Cloud Functions).

Step 1: Create the external application

  1. From the UiPath homepage, navigate to Admin.
  2. Select External Apps.
  3. Click Add application.
  4. Fill in the application details:
    • Application name: Give the application a descriptive name.
    • Application type: Select Confidential application.
  5. Add the following scopes as Application scopes:
APIScope
Orchestrator API AccessOR.Jobs
Orchestrator API AccessOR.Execution
Orchestrator API AccessOR.Users
Orchestrator API AccessOR.Folders
Traces API AccessTraces.Api
Conversational AgentsConversationalAgents
  1. Click Add (a redirect URL is not needed for this client).
  2. A popup displays the App ID and App Secret.
Important:

Copy the app secret and store it securely. You won’t be able to view it again after closing this window, and you’ll need it when creating the token endpoint.

Note:

Adding any scopes as user scopes instead of application scopes causes the chat app to request user sign-in, defeating the purpose of anonymous access.

Step 2: Configure external application permissions

After creating the external application, configure its permissions to control what resources the anonymous agent can access.

Assign tenant-level access

  1. Navigate to Orchestrator.
  2. Select Tenant on the top left.
  3. Select Manage Access from the toolbar.
  4. Select External apps.
  5. Select Assign external app.
  6. Search for and select the external app you created.
  7. Under Additional roles, select the required roles:
    • Minimum required: Automation User.
    • Add additional roles only as needed for your use case.
  8. Select Assign.

Assign folder-level access

  1. Navigate to Folders in Orchestrator.
  2. For each folder the agent needs access to:
    1. Select the folder.
    2. Select Assign account/group/external app.
    3. Select your external app from the dropdown.
    4. Assign the necessary roles.
    5. Select Assign.
Note:

The external app is restricted from any resources it doesn't have explicit permissions for. Ensure the app has access to all contexts, tools, and resources the conversational agent needs.

Step 3: Create a token endpoint

A token endpoint is required because the embedded conversational agent cannot securely store client secrets. Your token endpoint authenticates with UiPath using the client credentials and returns an access token to the embedded agent.

We recommend a serverless architecture for the token endpoint:

  • Low cost: For example, AWS Lambda pricing for 3,000,000 responses/month is approximately $0.40 USD.
  • Minimal maintenance: No servers to manage.
  • Easy scaling: Handles traffic spikes automatically.

Security considerations

Warning:

The client secret is highly sensitive. If it is unintentionally exposed, immediately delete the secret and generate a new one in the External Application settings.

Ensure your token endpoint implementation:

  • Stores the client secret securely (environment variables, secrets manager)
  • Validates request origins to prevent unauthorized access
  • Uses HTTPS for all communications

Example implementation

The following JavaScript code can be adapted for your serverless platform. The response body must return {access_token: <token>}:

// Whitelist: Configure allowed origins for your deployment
const ALLOWED_ORIGINS = [
  'https://cloud.uipath.com/*',
  // Add your application domains here
];

function matchesOriginPattern(origin, pattern) {
  try {
    const originUrl = new URL(origin);
    const originBase = `${originUrl.protocol}//${originUrl.host}`;

    if (pattern.includes('*')) {
      const regexPattern = pattern
        .replace(/[.+?^${}()|[\]\\]/g, '\\$&')
        .replace(/\*/g, '.*');
      const regex = new RegExp(`^${regexPattern}$`);
      return regex.test(originBase);
    } else {
      return originBase.startsWith(pattern);
    }
  } catch (e) {
    return false;
  }
}

function checkOrigin(req) {
  const origin = req.headers.origin || req.headers.referer;

  if (!origin) {
    const host = req.headers.host;
    if (host && (host.includes('localhost') || host.includes('127.0.0.1'))) {
      return true;
    }
    return false;
  }

  return ALLOWED_ORIGINS.some(pattern => matchesOriginPattern(origin, pattern));
}

async function getClientAccessToken() {
  const clientId = process.env.CLIENT_ID;
  const clientSecret = process.env.CLIENT_SECRET;
  const scope = 'OR.Default ConversationalAgents Traces.Api';

  const params = new URLSearchParams({
    grant_type: 'client_credentials',
    client_id: clientId,
    client_secret: clientSecret,
    scope: scope
  });

  const response = await fetch('https://cloud.uipath.com/identity_/connect/token', {
    method: 'POST',
    headers: {
      'Content-Type': 'application/x-www-form-urlencoded',
    },
    body: params.toString()
  });

  if (!response.ok) {
    const errorText = await response.text();
    throw new Error(`Token request failed: ${response.status} ${errorText}`);
  }

  const data = await response.json();
  return data.access_token;
}

export async function token(context, req) {
  if (!checkOrigin(req)) {
    context.res = {
      status: 403,
      headers: { 'Content-Type': 'application/json' },
      body: { error: 'Origin not allowed' }
    };
    return;
  }

  try {
    const accessToken = await getClientAccessToken();
    context.res = {
      status: 200,
      headers: { 'Content-Type': 'application/json' },
      body: { access_token: accessToken }
    };
  } catch (error) {
    console.error('Error fetching access token:', error);
    context.res = {
      status: 500,
      headers: { 'Content-Type': 'application/json' },
      body: { error: 'Failed to fetch access token' }
    };
  }
}
// Whitelist: Configure allowed origins for your deployment
const ALLOWED_ORIGINS = [
  'https://cloud.uipath.com/*',
  // Add your application domains here
];

function matchesOriginPattern(origin, pattern) {
  try {
    const originUrl = new URL(origin);
    const originBase = `${originUrl.protocol}//${originUrl.host}`;

    if (pattern.includes('*')) {
      const regexPattern = pattern
        .replace(/[.+?^${}()|[\]\\]/g, '\\$&')
        .replace(/\*/g, '.*');
      const regex = new RegExp(`^${regexPattern}$`);
      return regex.test(originBase);
    } else {
      return originBase.startsWith(pattern);
    }
  } catch (e) {
    return false;
  }
}

function checkOrigin(req) {
  const origin = req.headers.origin || req.headers.referer;

  if (!origin) {
    const host = req.headers.host;
    if (host && (host.includes('localhost') || host.includes('127.0.0.1'))) {
      return true;
    }
    return false;
  }

  return ALLOWED_ORIGINS.some(pattern => matchesOriginPattern(origin, pattern));
}

async function getClientAccessToken() {
  const clientId = process.env.CLIENT_ID;
  const clientSecret = process.env.CLIENT_SECRET;
  const scope = 'OR.Default ConversationalAgents Traces.Api';

  const params = new URLSearchParams({
    grant_type: 'client_credentials',
    client_id: clientId,
    client_secret: clientSecret,
    scope: scope
  });

  const response = await fetch('https://cloud.uipath.com/identity_/connect/token', {
    method: 'POST',
    headers: {
      'Content-Type': 'application/x-www-form-urlencoded',
    },
    body: params.toString()
  });

  if (!response.ok) {
    const errorText = await response.text();
    throw new Error(`Token request failed: ${response.status} ${errorText}`);
  }

  const data = await response.json();
  return data.access_token;
}

export async function token(context, req) {
  if (!checkOrigin(req)) {
    context.res = {
      status: 403,
      headers: { 'Content-Type': 'application/json' },
      body: { error: 'Origin not allowed' }
    };
    return;
  }

  try {
    const accessToken = await getClientAccessToken();
    context.res = {
      status: 200,
      headers: { 'Content-Type': 'application/json' },
      body: { access_token: accessToken }
    };
  } catch (error) {
    console.error('Error fetching access token:', error);
    context.res = {
      status: 500,
      headers: { 'Content-Type': 'application/json' },
      body: { error: 'Failed to fetch access token' }
    };
  }
}

Environment variables

Configure the following environment variables in your serverless platform:

VariableDescription
CLIENT_IDThe App ID from Step 1
CLIENT_SECRETThe App Secret from Step 1

The exact method for setting environment variables depends on your hosting platform.

Configuring allowed origins

The ALLOWED_ORIGINS array provides security by rejecting token requests from unauthorized sources. Configure this list to include:

  • https://cloud.uipath.com/* (required for the embedded agent)
  • https://staging.uipath.com if you need to allow requests from a staging environment
  • Your application's domain(s) if testing locally or from other environments

Step 4: Embed the agent with anonymous access

With the token endpoint configured, embed the conversational agent using the following URL format:

https://<cloud_env>.uipath.com/<organization>/<tenant>/autopilotforeveryone_/conversational-agents/?agentId=<agent_id>&externalAuth=true&authEndpoint=<token_endpoint_url>&externalUserId=<user_id>
https://<cloud_env>.uipath.com/<organization>/<tenant>/autopilotforeveryone_/conversational-agents/?agentId=<agent_id>&externalAuth=true&authEndpoint=<token_endpoint_url>&externalUserId=<user_id>

Anonymous access URL parameters

ParameterRequiredDescription
agentIdYesThe Release ID of the published agent
externalAuthYesSet to true to enable anonymous access
authEndpointYesURL of your token endpoint
externalUserIdYesUnique identifier for the user (see note below)
Note:

The externalUserId is a value you define and maintain. It separates and retrieves user chat history. Use a meaningful user ID if you need to maintain chat history, or a random GUID if chat history persistence is not required.

Example embedded URL

https://<cloud_env>.uipath.com/myorg/mytenant/autopilotforeveryone_/conversational-agents/?agentId=12345&externalAuth=true&authEndpoint=https://my-api.example.com/token&externalUserId=user-abc-123
https://<cloud_env>.uipath.com/myorg/mytenant/autopilotforeveryone_/conversational-agents/?agentId=12345&externalAuth=true&authEndpoint=https://my-api.example.com/token&externalUserId=user-abc-123

HTML example

<iframe
  src="https://<cloud_env>.uipath.com/myorg/mytenant/autopilotforeveryone_/conversational-agents/?agentId=12345&externalAuth=true&authEndpoint=https://my-api.example.com/token&externalUserId=user-abc-123"
  width="400"
  height="600"
  frameborder="0"
  allow="clipboard-write"
></iframe>
<iframe
  src="https://<cloud_env>.uipath.com/myorg/mytenant/autopilotforeveryone_/conversational-agents/?agentId=12345&externalAuth=true&authEndpoint=https://my-api.example.com/token&externalUserId=user-abc-123"
  width="400"
  height="600"
  frameborder="0"
  allow="clipboard-write"
></iframe>
Note:

If the externalAuth=true parameter is missing, the embedded agent uses the standard sign-in redirect flow instead of anonymous access.

Troubleshooting

Token endpoint returns 403

  • Verify your ALLOWED_ORIGINS list includes the correct domains.
  • Check that the request origin header is being sent correctly.
  • Test the endpoint directly to isolate the issue.

Token request fails with authentication error

  • Verify the CLIENT_ID and CLIENT_SECRET environment variables are set correctly.
  • Confirm the external application is still active in UiPath Admin.
  • Check that the token endpoint URL in the code points to the correct UiPath environment.

Agent cannot access resources

  • Review the external application's assigned roles in Orchestrator.
  • Verify folder-level permissions are configured for all required folders.
  • Check that the scopes added to the external app match the required API access.

Chat history not persisting

  • Ensure you're using a consistent externalUserId for the same user.
  • Verify the user ID is being passed correctly in the embedded URL.

Next steps

Was this page helpful?

Support and Services
Get The Help You Need
UiPath Academy
Learning RPA - Automation Courses
UiPath Forum
UiPath Community Forum
Uipath Logo
Trust and Security
Terms of Use
Privacy Policy
Cookies Policy
© 2005-2026 UiPath. All rights reserved.