Embed Authentication

How to control access to embedded internotes and maps

Public internotes and maps can be embedded without any authentication. For private content, you need to generate a signed token from your server and pass it to the embed.

Generating a Token

Use your Internote API key to sign a token server-side:

import { signEmbedToken } from '@internote/embed-server'

const token = await signEmbedToken({
  apiKey: process.env.INTERNOTE_API_KEY,
  resourceId: 'INTERNOTE_ID',
  expiresIn: '1h'
})

import { signEmbedToken } from '@internote/embed-server'

const token = await signEmbedToken({
  apiKey: process.env.INTERNOTE_API_KEY,
  resourceId: 'INTERNOTE_ID',
  expiresIn: '1h'
})

TypeScript

Read-only

Passing the Token

Pass the token to the embed component:

<Internote id="INTERNOTE_ID" token={token} />

<Internote id="INTERNOTE_ID" token={token} />

tsx

Read-only

Token Expiry

Tokens expire after the time specified in expiresIn. Generate fresh tokens on each page load — do not cache them client-side.

Security

Never expose your API key in client-side code. Token generation must happen on your server.

On this page

Generating a Token Passing the Token Token Expiry