Token Management

Embed tokens control which widgets can access your data and where they can be used.

What Are Embed Tokens?

Embed tokens (emb_...) are public-safe credentials for the Embed SDK. Unlike API keys, they:

Can be exposed in client-side code
Are restricted to specific domains
Can only access allowed views and events
Don't provide full API access

Creating Tokens

Via Dashboard

Go to Dashboard → Embed Tokens
Click Create Embed Token
Configure token settings (see below)
Copy the token and use it in your widget

Via API

Create tokens programmatically with the admin scope:

curl -X POST "https://rhumby.com/api/v1/embed-tokens" \
  -H "Authorization: Bearer rhb_..." \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Club Website Widget",
    "allowedOrigins": ["https://myclub.org"],
    "allowedEvents": ["friday-night-spring-2026"],
    "allowedViews": ["standings", "results", "schedule"]
  }'

Token Settings

Parameter	Type	Required	Description
`name`	`string`	Yes	Descriptive name for the token (for your reference)
`allowedOrigins`	`array`	Yes	Domains where this token can be used (e.g., ["https://myclub.org"])
`allowedEvents`	`array`	No	Event slugs this token can access. Omit to allow all your events.
`allowedViews`	`array`	No	Widget types allowed: standings, results, schedule, register. Omit to allow all.
`customTheme`	`object`	No	Custom theme configuration (colors, fonts, spacing)
`expiresAt`	`date`	No	Optional expiration date. Token will stop working after this date.

Allowed Origins

Origins must be full URLs with protocol:

✓ https://myclub.org
✓ https://www.myclub.org
✓ https://events.myclub.org
✗ myclub.org (missing protocol)
✗ *.myclub.org (wildcards not supported)

For local development, add http://localhost or http://localhost:3000.

Restricting Events

Limit tokens to specific events for security:

{
  "allowedEvents": [
    "friday-night-spring-2026",
    "summer-regatta-2026"
  ]
}

If someone tries to use the token for a different event, it will fail with a 403 Forbidden error.

Restricting Views

Limit which widget types can be used:

{
  "allowedViews": [
    "standings",
    "results",
    "schedule"
  ]
}

This token cannot be used for registration widgets. Useful when you want to show data but not accept registrations through a partner site.

Token Lifecycle

Active Tokens

Active tokens work immediately after creation. They appear in your dashboard with usage statistics:

Total requests
Last used
Origins accessed from

Expiring Tokens

Set an expiration date for temporary access:

{
  "expiresAt": "2026-12-31T23:59:59Z"
}

Useful for:

Partner websites (limited-time agreements)
Event-specific widgets (auto-expire after the event)
Testing and development

Revoking Tokens

Revoke a token immediately:

Go to Dashboard → Embed Tokens
Click the token
Click Revoke

Revoked tokens stop working immediately. All existing widgets using that token will fail to load data.

Security Best Practices

Use Specific Restrictions

Don't create wide-open tokens:

❌ Bad: allowedOrigins: ["*"], allowedEvents: [], allowedViews: []
✓ Good: allowedOrigins: ["https://myclub.org"], 
         allowedEvents: ["friday-night-spring-2026"],
         allowedViews: ["standings"]

One Token Per Use Case

Create separate tokens for different purposes:

Club website: All views, only club domain
Partner sites: Limited views, partner domains
Mobile app: Specific events, app domain

This limits the blast radius if a token is compromised.

Rotate Tokens Periodically

Update tokens every 6-12 months:

Create a new token with the same settings
Update your website to use the new token
Monitor the old token's usage
Revoke the old token after confirming the new one works

Monitor Usage

Check token usage regularly:

Unexpected origins? Someone may be misusing your token
High request volume? Could indicate scraping or abuse
No recent activity? Token may not be deployed correctly

Troubleshooting

Check these common issues:

Wrong origin: Token's allowedOrigins must match your website exactly
Event restriction: Token may not allow the event slug you're using
View restriction: Token may not allow the widget type (view) you're using
Expired token: Check expiration date in dashboard
Revoked token: Token may have been revoked

403 Forbidden Error

The token is working, but you're trying to access something it doesn't allow:

Event not in allowedEvents
View not in allowedViews
Origin not in allowedOrigins

Check the browser console for the specific error message.

CORS Error

Your origin isn't in the token's allowedOrigins list. Add it in the dashboard and try again.

Embed tokens are public but restricted. Never expose API keys (rhb_...) in client-side code. Use embed tokens for widgets, API keys for server-side integrations.

Next Steps

Configure your widgets with all available options
Customize themes to match your brand
Explore widget types and use cases

Token Management

Embed tokens control which widgets can access your data and where they can be used.

What Are Embed Tokens?

Embed tokens (emb_...) are public-safe credentials for the Embed SDK. Unlike API keys, they:

Can be exposed in client-side code
Are restricted to specific domains
Can only access allowed views and events
Don't provide full API access

Creating Tokens

Via Dashboard

Go to Dashboard → Embed Tokens
Click Create Embed Token
Configure token settings (see below)
Copy the token and use it in your widget

Via API

Create tokens programmatically with the admin scope:

curl -X POST "https://rhumby.com/api/v1/embed-tokens" \
  -H "Authorization: Bearer rhb_..." \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Club Website Widget",
    "allowedOrigins": ["https://myclub.org"],
    "allowedEvents": ["friday-night-spring-2026"],
    "allowedViews": ["standings", "results", "schedule"]
  }'

Token Settings

Parameter	Type	Required	Description
`name`	`string`	Yes	Descriptive name for the token (for your reference)
`allowedOrigins`	`array`	Yes	Domains where this token can be used (e.g., ["https://myclub.org"])
`allowedEvents`	`array`	No	Event slugs this token can access. Omit to allow all your events.
`allowedViews`	`array`	No	Widget types allowed: standings, results, schedule, register. Omit to allow all.
`customTheme`	`object`	No	Custom theme configuration (colors, fonts, spacing)
`expiresAt`	`date`	No	Optional expiration date. Token will stop working after this date.

Allowed Origins

Origins must be full URLs with protocol:

✓ https://myclub.org
✓ https://www.myclub.org
✓ https://events.myclub.org
✗ myclub.org (missing protocol)
✗ *.myclub.org (wildcards not supported)

For local development, add http://localhost or http://localhost:3000.

Restricting Events

Limit tokens to specific events for security:

{
  "allowedEvents": [
    "friday-night-spring-2026",
    "summer-regatta-2026"
  ]
}

If someone tries to use the token for a different event, it will fail with a 403 Forbidden error.

Restricting Views

Limit which widget types can be used:

{
  "allowedViews": [
    "standings",
    "results",
    "schedule"
  ]
}

This token cannot be used for registration widgets. Useful when you want to show data but not accept registrations through a partner site.

Token Lifecycle

Active Tokens

Active tokens work immediately after creation. They appear in your dashboard with usage statistics:

Total requests
Last used
Origins accessed from

Expiring Tokens

Set an expiration date for temporary access:

{
  "expiresAt": "2026-12-31T23:59:59Z"
}

Useful for:

Partner websites (limited-time agreements)
Event-specific widgets (auto-expire after the event)
Testing and development

Revoking Tokens

Revoke a token immediately:

Go to Dashboard → Embed Tokens
Click the token
Click Revoke

Revoked tokens stop working immediately. All existing widgets using that token will fail to load data.

Security Best Practices

Use Specific Restrictions

Don't create wide-open tokens:

❌ Bad: allowedOrigins: ["*"], allowedEvents: [], allowedViews: []
✓ Good: allowedOrigins: ["https://myclub.org"], 
         allowedEvents: ["friday-night-spring-2026"],
         allowedViews: ["standings"]

One Token Per Use Case

Create separate tokens for different purposes:

Club website: All views, only club domain
Partner sites: Limited views, partner domains
Mobile app: Specific events, app domain

This limits the blast radius if a token is compromised.

Rotate Tokens Periodically

Update tokens every 6-12 months:

Create a new token with the same settings
Update your website to use the new token
Monitor the old token's usage
Revoke the old token after confirming the new one works

Monitor Usage

Check token usage regularly:

Unexpected origins? Someone may be misusing your token
High request volume? Could indicate scraping or abuse
No recent activity? Token may not be deployed correctly

Troubleshooting

Check these common issues:

Wrong origin: Token's allowedOrigins must match your website exactly
Event restriction: Token may not allow the event slug you're using
View restriction: Token may not allow the widget type (view) you're using
Expired token: Check expiration date in dashboard
Revoked token: Token may have been revoked

403 Forbidden Error

The token is working, but you're trying to access something it doesn't allow:

Event not in allowedEvents
View not in allowedViews
Origin not in allowedOrigins

Check the browser console for the specific error message.

CORS Error

Your origin isn't in the token's allowedOrigins list. Add it in the dashboard and try again.

Embed tokens are public but restricted. Never expose API keys (rhb_...) in client-side code. Use embed tokens for widgets, API keys for server-side integrations.

Next Steps

Configure your widgets with all available options
Customize themes to match your brand
Explore widget types and use cases

Token Management

On this page

Token Management

On this page