Secure your bot

APPLIES TO: SDK v3

Your bot can be connected to many different communication channels (SMS, email, and others) through the Bot Framework Connector service. This article describes how to secure your bot by using HTTPS and Bot Framework authentication.

Use HTTPS and Bot Framework authentication

To ensure that your bot's endpoint can only be accessed by the Bot Framework Connector, configure your bot's endpoint to use only HTTPS and enable Bot Framework authentication by registering your bot to acquire its appID and password.

Configure authentication for your bot

Specify the bot's appID and password in your bot's web.config file.

Note

To find your bot's AppID and AppPassword, see MicrosoftAppID and MicrosoftAppPassword.

<appSettings>
    <add key="MicrosoftAppId" value="_appIdValue_" />
    <add key="MicrosoftAppPassword" value="_passwordValue_" />
</appSettings>

Then, use the [BotAuthentication] attribute to specify authentication credentials when using the Bot Framework SDK for .NET to create your bot.

To use the authentication credentials that are stored in the web.config file, specify the [BotAuthentication] with no parameters.

[BotAuthentication]
public class MessagesController : ApiController
{
}

To use other values for authentication credentials, specify the [BotAuthentication] attribute and pass in those values.

[BotAuthentication(MicrosoftAppId = "_appIdValue_", MicrosoftAppPassword="_passwordValue_")]
public class MessagesController : ApiController
{
}

Additional resources

• Bot Framework SDK for .NET
• Key concepts in the bot Builder SDK for .NET
• Register a bot with the Bot Framework