Embed security

Why a JWT with filters in claims

If filters travel in the URL, client JS can tamper with them and the iframe starts showing other people's data. A signed JWT with filters in claims makes this structurally impossible.

Origin allowlist

The mk_* API key has an allowlist of origins. POST /api/v1/embed/tokens requests from another Origin are rejected.

Short TTL

The embed JWT is issued with a TTL of 5–60 minutes (configurable via ttl_seconds at issuance). An old link stops working after the window.

CORS

The embed surface has * CORS (partner sites on any domains). The cabinet surface is allowlist. The mTLS surface has no CORS at all.

← ← Previous

Iframe embed