Security Model

Review the current security model for Meshes embed, including workspace scoping, origins, launch bootstrap, and runtime authorization.

Use these rules when you integrate Meshes embed into a production application.

Keep management credentials on your backend

mint sessions from your backend only
never expose machine access keys or secret keys in browser code

Use `allowed_origins` when you want tighter embed restrictions

allowed_origins lets you restrict where a given session may be embedded.

For production embeds, send allowed_origins explicitly.

Treat `launch_url` as bootstrap-only

use launch_url only for the initial iframe request
do not reuse an old launch_url after a hard iframe reload
do not treat launch_url as the runtime session credential

Send `access_token` only after `meshes:ready`

wait for meshes:ready
then send meshes:auth
send later refreshed tokens with another meshes:auth

Do not put runtime tokens in iframe URLs

Keep the runtime access_token out of:

query strings
browser history
analytics events
error traces
client-side logs

Scope sensitive reads explicitly

If you want embedded users to view event payloads, grant events.payload:read intentionally when you mint the session.

Security Model

Review the current security model for Meshes embed, including workspace scoping, origins, launch bootstrap, and runtime authorization.

Use these rules when you integrate Meshes embed into a production application.

Keep management credentials on your backend

mint sessions from your backend only
never expose machine access keys or secret keys in browser code

Use `allowed_origins` when you want tighter embed restrictions

allowed_origins lets you restrict where a given session may be embedded.

For production embeds, send allowed_origins explicitly.

Treat `launch_url` as bootstrap-only

use launch_url only for the initial iframe request
do not reuse an old launch_url after a hard iframe reload
do not treat launch_url as the runtime session credential

Send `access_token` only after `meshes:ready`

wait for meshes:ready
then send meshes:auth
send later refreshed tokens with another meshes:auth

Do not put runtime tokens in iframe URLs

Keep the runtime access_token out of:

query strings
browser history
analytics events
error traces
client-side logs

Scope sensitive reads explicitly

If you want embedded users to view event payloads, grant events.payload:read intentionally when you mint the session.

Security Model

Review the current security model for Meshes embed, including workspace scoping, origins, launch bootstrap, and runtime authorization.

Keep management credentials on your backend

Use allowed_origins when you want tighter embed restrictions

Treat launch_url as bootstrap-only

Send access_token only after meshes:ready

Do not put runtime tokens in iframe URLs

Scope sensitive reads explicitly

Related docs

Security Model

Review the current security model for Meshes embed, including workspace scoping, origins, launch bootstrap, and runtime authorization.

Keep management credentials on your backend

Use allowed_origins when you want tighter embed restrictions

Treat launch_url as bootstrap-only

Send access_token only after meshes:ready

Do not put runtime tokens in iframe URLs

Scope sensitive reads explicitly

Related docs

Use `allowed_origins` when you want tighter embed restrictions

Treat `launch_url` as bootstrap-only

Send `access_token` only after `meshes:ready`

Use `allowed_origins` when you want tighter embed restrictions

Treat `launch_url` as bootstrap-only

Send `access_token` only after `meshes:ready`