Token Management
Create and manage embed tokens for secure widget access
Token Management
Embed tokens control which widgets can access your data and where they can be used.
What Are Embed Tokens?
Embed tokens (emb_...) are public-safe credentials for the Embed SDK. Unlike API keys, they:
- Can be exposed in client-side code
- Are restricted to specific domains
- Can only access allowed views and events
- Don't provide full API access
Creating Tokens
Via Dashboard
- Go to Dashboard → Embed Tokens
- Click Create Embed Token
- Configure token settings (see below)
- Copy the token and use it in your widget
Via API
Create tokens programmatically with the admin scope:
curl -X POST "https://rhumby.com/api/v1/embed-tokens" \
-H "Authorization: Bearer rhb_..." \
-H "Content-Type: application/json" \
-d '{
"name": "Club Website Widget",
"allowedOrigins": ["https://myclub.org"],
"allowedEvents": ["friday-night-spring-2026"],
"allowedViews": ["standings", "results", "schedule"]
}'Token Settings
| Parameter | Type | Required | Description |
|---|---|---|---|
name | string | Yes | Descriptive name for the token (for your reference) |
allowedOrigins | array | Yes | Domains where this token can be used (e.g., ["https://myclub.org"]) |
allowedEvents | array | No | Event slugs this token can access. Omit to allow all your events. |
allowedViews | array | No | Widget types allowed: standings, results, schedule, register. Omit to allow all. |
customTheme | object | No | Custom theme configuration (colors, fonts, spacing) |
expiresAt | date | No | Optional expiration date. Token will stop working after this date. |
namestringRequiredDescriptive name for the token (for your reference)
allowedOriginsarrayRequiredDomains where this token can be used (e.g., ["https://myclub.org"])
allowedEventsarrayOptionalEvent slugs this token can access. Omit to allow all your events.
allowedViewsarrayOptionalWidget types allowed: standings, results, schedule, register. Omit to allow all.
customThemeobjectOptionalCustom theme configuration (colors, fonts, spacing)
expiresAtdateOptionalOptional expiration date. Token will stop working after this date.
Allowed Origins
Origins must be full URLs with protocol:
✓ https://myclub.org
✓ https://www.myclub.org
✓ https://events.myclub.org
✗ myclub.org (missing protocol)
✗ *.myclub.org (wildcards not supported)For local development, add http://localhost or http://localhost:3000.
Restricting Events
Limit tokens to specific events for security:
{
"allowedEvents": [
"friday-night-spring-2026",
"summer-regatta-2026"
]
}If someone tries to use the token for a different event, it will fail with a 403 Forbidden error.
Restricting Views
Limit which widget types can be used:
{
"allowedViews": [
"standings",
"results",
"schedule"
]
}This token cannot be used for registration widgets. Useful when you want to show data but not accept registrations through a partner site.
Token Lifecycle
Active Tokens
Active tokens work immediately after creation. They appear in your dashboard with usage statistics:
- Total requests
- Last used
- Origins accessed from
Expiring Tokens
Set an expiration date for temporary access:
{
"expiresAt": "2026-12-31T23:59:59Z"
}Useful for:
- Partner websites (limited-time agreements)
- Event-specific widgets (auto-expire after the event)
- Testing and development
Revoking Tokens
Revoke a token immediately:
- Go to Dashboard → Embed Tokens
- Click the token
- Click Revoke
Revoked tokens stop working immediately. All existing widgets using that token will fail to load data.
Security Best Practices
Use Specific Restrictions
Don't create wide-open tokens:
❌ Bad: allowedOrigins: ["*"], allowedEvents: [], allowedViews: []
✓ Good: allowedOrigins: ["https://myclub.org"],
allowedEvents: ["friday-night-spring-2026"],
allowedViews: ["standings"]One Token Per Use Case
Create separate tokens for different purposes:
- Club website: All views, only club domain
- Partner sites: Limited views, partner domains
- Mobile app: Specific events, app domain
This limits the blast radius if a token is compromised.
Rotate Tokens Periodically
Update tokens every 6-12 months:
- Create a new token with the same settings
- Update your website to use the new token
- Monitor the old token's usage
- Revoke the old token after confirming the new one works
Monitor Usage
Check token usage regularly:
- Unexpected origins? Someone may be misusing your token
- High request volume? Could indicate scraping or abuse
- No recent activity? Token may not be deployed correctly
Troubleshooting
Widget Not Loading
Check these common issues:
- Wrong origin: Token's
allowedOriginsmust match your website exactly - Event restriction: Token may not allow the event slug you're using
- View restriction: Token may not allow the widget type (view) you're using
- Expired token: Check expiration date in dashboard
- Revoked token: Token may have been revoked
403 Forbidden Error
The token is working, but you're trying to access something it doesn't allow:
- Event not in
allowedEvents - View not in
allowedViews - Origin not in
allowedOrigins
Check the browser console for the specific error message.
CORS Error
Your origin isn't in the token's allowedOrigins list. Add it in the dashboard and try again.
Embed tokens are public but restricted. Never expose API keys (rhb_...) in client-side code. Use embed tokens for widgets, API keys for server-side integrations.
Next Steps
- Configure your widgets with all available options
- Customize themes to match your brand
- Explore widget types and use cases