ROLE
TIMELINE
TEAM
1 Chief Engineer
4 Engineers
TOOL
Figma
OVERVIEW
ChatDoc Master is a no-code, AI-powered chatbot builder. As it evolved into a business-facing product, the original admin panel which was designed for individual users, could not scale to meet enterprise needs. Internal admins faced limited visibility, flat user structures, and manual backend work for onboarding and chatbot deployment.
To address this, I worked with internal engineers who also served as admins to map a new system architecture and designed a scalable admin panel with organization-level onboarding, role-based access control, and secure chatbot deployment via iFrame tokens.
COMPANY
A startup specializing in AI applications
OUTCOME
The new admin panel for ChatDoc Master was launched in July 2024 and is actively used by internal admins.
PROBLEM
Originally, the admin dashboard allowed only flat user management: individual accounts with no grouping, no granular roles beyond platform admins, and limited tooling for debugging or onboarding. This setup worked when user count was low and user roles simple, but as we onboarded business users, the limitations caused inefficiencies and operational risks.
Old admin panel of ChatDoc Master
SOLUTION
GROUP MANAGEMENT
Admins can set up new business groups by assigning subscription plans, user and chatbot quotas, and a group admin who will manage the organization’s team. This supports smooth onboarding and scalable management of our growing business user base.
USER MANAGEMENT
Admins can easily assign or update roles—User, Group Admin, or CPII Admin (our internal admins), directly from the user table. This gives internal admins fine-grained control over who can manage teams, access chatbots, or configure system settings, all without needing to touch the backend.
From each user profile, admins can view chatbots created by that user. This gives admins the transparency they need to monitor usage and support business clients effectively.
CHATBOT MANAGEMENT
Admins can generate iFrame tokens that allow businesses to embed their chatbots directly onto their websites. Tokens are configurable with expiration dates and can be revoked as needed.
Admins can acquire new iFrame tokens by setting parameters like expiration date and question limit.
The generated iFrame code can be copied and embedded directly into business websites.
For each chatbot, admins can access the uploaded documents, chunked data, and chat history. This visibility supports issue tracking and aligns with backend data structures.
RESEARCH
As our engineering team also serves as admins, I interviewed four engineers to uncover the limitations of the original admin panel and their evolving responsibilities as we transitioned to support business users.
To design features that help business users deploy chatbots, I needed to understand these two technical terms:
iFrame
Token
A secure access key generated for a chatbot embed that controls and authorizes this embedding.
This structure supports managing complex business hierarchies by clearly defining relationships and data across groups, users, and chatbots.
Information architecture of new ChatDoc Master admin panel
OPPORTUNITY
IDEATION
Because our engineering team also acts as admins, every feature needed to support their technical workflows, minimize manual backend effort, and uphold platform security. I identified two core admin tasks as priorities:
Onboarding:
Ensure only authorized users can join the right organization and prevent misuse during sign-up.
Chatbot deployment:
Give admins control over iFrame tokens to prevent unauthorized access and protect chatbot data.
ITERATION 1
I designed a flow where admins could generate a registration link tied to a business group. The business would share this link with team members to sign up under the organization.
LIMITATIONS
Links posed security risks if leaked or reused.
Maintaining validation logic for links was complex.
ITERATION 2
I replaced the registration link with a unique registration code for each group. New users enter this code during signup to join their organization.
WHY THIS IS BETTER
More secure and revocable.
Easier for admins to distribute and track usage.
Better aligned with backend validation and scalable across clients.
Strengthening security for chatbot embed tokens
ITERATION 1
Admins generated iFrame embed tokens by entering a name and question limit. However, tokens never expired once created, leaving them permanently valid.
LIMITATIONS
Tokens that never expire create a security risk if they are leaked or stolen.
ITERATION 2
I added token expiration controls, allowing admins to set expiry dates.
WHY THIS IS BETTER
Provides robust security by limiting token lifespan.
TAKEAWAYS
This was one of the most challenging projects I've worked on due to its highly technical nature, but it helped me grow as a systems thinker.
By learning what tokens and iFrames mean and why they matter for security, I made informed design decisions that protect users and platform integrity. Moving forward, I will invest time early to understand key technical concepts to design solutions aligned with technical scope.
By deeply understanding how users, groups, and data interact within the backend architecture, I identified edge cases and complexities upfront. This clarity enabled me to design solutions that not only solve current needs but also scale smoothly as the business grows.
A big thank you to my team :)
