Do you support domain restrictions for tokens?
Not currently.
At the moment, tokens can be used on any domain. That said, the practical risk is low:
-
Tokens are generated using your API key (which should remain secure).
-
An attacker would need to obtain a valid, unexpired token.
-
Any embedded dashboard would only expose data that the token holder already has access to.
We’ve added domain restriction support as a roadmap item:
https://roadmap.embeddable.com/roadmap/restrict-domain-for-security-token-use
Is there an endpoint to validate whether a token is still valid?
We don’t provide a token validation endpoint.
Embeddable tokens are standard JWTs. You can:
-
Decode the token using any JWT library.
-
Inspect the
exp(expiry) claim in the payload. -
Check whether the token has expired.
Since tokens remain valid until their expiry time, checking the expiration date is all that’s required to determine validity.
Recommended flow:
-
Decode the token.
-
If it hasn’t expired, continue using it.
-
If it has expired, generate a new token.
Can tokens be invalidated on logout (instead of relying on time-based expiry)?
Not currently.
Tokens are valid until they expire, and we don’t yet support manual invalidation (e.g. “logout” or “invalidate all tokens” flows).
We’ve added this as a roadmap item:
https://roadmap.embeddable.com/roadmap/api-to-invalidate-security-tokens