Currently, the API can be used to access any public data of the embeds, if a user knows the website ID and the resource ID (page ID or user ID). This is bad for private communities.
So, the idea is to allow users to add a token created with a shared secret (similar to SSO private key).
<hyvor-talk-comments token="TOKEN WITH TIMESTAMP ENCRYPTED">
Once this option is enabled in the Console, users can access the embed API for that website ID ONLY if a token is present with an acceptable timestamp (2 days expiration?).
So, for all /api/embed
requested, we would pass along this timestamp, and on our end, we’ll validate it every time before processing the request. This will make the embed API secure from external access.