Embed Session API
Create and manage embed sessions for boards with the Embed Session API endpoint.
Embed Session API
The Embed Session API allows you to create authenticated embed sessions for boards, enabling users to access board content through embedded interfaces with customizable user information and metadata.
Endpoint
POST /api/embed/sessionsAuthentication
This endpoint requires API Key authentication. Include your API key in the request headers:
Authorization: Bearer YOUR_API_KEYRequest Body
| Field | Type | Required | Description |
|---|---|---|---|
boardId | string | Yes | The unique identifier of the board |
userId | string | Yes | External user identifier from your system |
email | string (email) | Yes | User's email address |
firstName | string | No | User's first name |
lastName | string | No | User's last name |
avatarUrl | string (URL) | No | URL to user's avatar image |
plan | string | No | User's subscription plan (e.g., "free", "pro", "enterprise") |
metadata | object | No | Custom metadata as key-value pairs |
expiresInSeconds | number | No | Session expiration time in seconds (default: 2592000 = 30 days) |
Response
Returns a JSON object containing the created session details:
| Field | Type | Description |
|---|---|---|
session | object | The complete embed session object |
session.id | string | Unique session identifier |
session.boardId | string | Associated board ID |
session.token | string | Session authentication token |
session.userId | string | External user identifier |
session.email | string | User's email address |
session.firstName | string | User's first name |
session.lastName | string | User's last name |
session.avatarUrl | string | User's avatar URL |
session.plan | string | User's plan |
session.metadata | object | Custom metadata |
session.expiresAt | string (ISO 8601) | Session expiration timestamp |
session.createdAt | string (ISO 8601) | Session creation timestamp |
sessionToken | string | Session token (same as session.token) |
embedUrl | string | Complete URL to access the embedded board |
Authorization Rules
Embed sessions can only be created for boards that meet one of these conditions:
- The board has
PUBLICvisibility - The board is owned by an organization where the API key owner is a member
Example Request
curl -X POST https://your-domain.com/api/embed/sessions \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"boardId": "board_123abc",
"userId": "user_456def",
"email": "[email protected]",
"firstName": "John",
"lastName": "Doe",
"avatarUrl": "https://example.com/avatars/johndoe.jpg",
"plan": "pro",
"metadata": {
"source": "webapp",
"accountType": "business",
"customField": "value"
},
"expiresInSeconds": 604800
}'Example Response
{
"session": {
"id": "clx123abc456",
"boardId": "board_123abc",
"token": "a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6",
"userId": "user_456def",
"email": "[email protected]",
"firstName": "John",
"lastName": "Doe",
"avatarUrl": "https://example.com/avatars/johndoe.jpg",
"plan": "pro",
"metadata": {
"source": "webapp",
"accountType": "business",
"customField": "value"
},
"expiresAt": "2026-02-03T12:00:00.000Z",
"createdAt": "2026-01-27T12:00:00.000Z"
},
"sessionToken": "a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6",
"embedUrl": "https://your-domain.com/embed?token=a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6"
}Error Responses
401 Unauthorized
API key is missing or invalid.
{
"error": "Unauthorized",
"message": "Invalid or missing API key"
}403 Forbidden
Board is not accessible with the provided API key.
{
"error": "Forbidden",
"message": "Embed sessions can only be created for public boards or boards owned by your organization"
}404 Not Found
Board with the specified ID does not exist.
{
"error": "Not Found",
"message": "Board not found"
}400 Bad Request
Invalid request body or validation error.
{
"error": "Bad Request",
"message": "Invalid email format"
}Usage Notes
Session Tokens
- Tokens are cryptographically secure random strings (32 characters)
- Each token is unique and cannot be reused
- Tokens are passed as query parameters in the embed URL
Expiration
- Default expiration is 30 days (2,592,000 seconds)
- Custom expiration can be set from 1 second to any positive integer value
- Expired sessions cannot be used to access embedded content
- Sessions with past expiration dates can be created but are immediately invalid
User Identification
userIdshould be a unique identifier from your system- The same
userIdcan have multiple active sessions for different boards - User information (firstName, lastName, avatarUrl) is used for display purposes in the embedded interface
Metadata
- Store any custom data as key-value pairs
- Useful for tracking session source, feature flags, or custom attributes
- Maximum nesting and size depends on your database configuration
- Empty objects
{}are valid
Multiple Sessions
- Multiple sessions can be created for the same board
- Multiple sessions can be created for the same user across different boards
- Each session has a unique token and can have different expiration times
Embed URL Usage
The returned embedUrl can be used directly in an iframe or as a standalone link:
<iframe
src="https://your-domain.com/embed?token=SESSION_TOKEN"
width="100%"
height="600"
frameborder="0"
></iframe>Best Practices
- Security: Store API keys securely and never expose them in client-side code
- Token Handling: Treat session tokens as sensitive credentials
- Expiration: Set appropriate expiration times based on your use case
- Validation: Always validate the response and handle errors appropriately
- Metadata: Use metadata for tracking and analytics, but avoid storing sensitive information
- Rate Limiting: Implement rate limiting on your side to prevent excessive session creation