DocsEmbed Mode

Free

Embed Mode

Embed any deployed GenMB app in an iframe on your website or portal. Public apps embed without any token. Private apps use token-based access control.

Public vs Private Apps

How you embed your app depends on its visibility setting. Public apps can be embedded freely, while private apps require a token for access.

Public App

No token required. Anyone can embed a public app using just the app URL.

<iframe src="https://myapp.genmb.com" />

Private App

Create an embed token and include it in the URL. Access is denied without a valid token.

<iframe src="https://myapp.genmb.com?embed_token=abc123" />

Public vs Private

If your app does not contain sensitive data, consider making it public. Public apps are simpler to embed since they require no token management. Use private mode with tokens when the app content should be restricted to authorized viewers.

Setting Up Embed Tokens

For private apps, create embed tokens to control who can access your app in an iframe.

Open app settings

In your app editor, go to Settings → Embed. This section shows all active tokens for the app.

Create a token

Click "New Token". A random 32-character token is generated and stored. Copy it immediately — it is only shown once in full.

Add to your iframe

Append ?embed_token=YOUR_TOKEN to your app URL in the iframe src attribute.

Revoke when no longer needed

Revoke tokens at any time from the same settings panel. Revoked tokens stop working immediately.

Token Security

Embed tokens are stored as hashed values in the database. The plain-text token is only shown once when created. If you lose a token, you cannot retrieve it — create a new one instead. For customer-facing portals, generate tokens server-side and inject them dynamically to avoid hardcoding secrets in your frontend.

Embed Code Example

A responsive iframe that fills its container and removes the default border:

HTML

<!-- Responsive embed wrapper -->
<div style="position: relative; padding-bottom: 56.25%; height: 0;">
  <iframe
    src="https://myapp.genmb.com?embed_token=YOUR_TOKEN"
    style="position: absolute; top: 0; left: 0; width: 100%; height: 100%; border: 0;"
    allow="fullscreen"
    loading="lazy"
  ></iframe>
</div>

Set allow="fullscreen" on the iframe to let users expand interactive content. Set loading="lazy" on iframes below the fold to improve page performance.

Token Management

Manage your embed tokens to control access across different integrations.

Multiple Tokens

Create separate tokens for different embed locations (e.g. one for your marketing site, another for your customer portal). This makes it easy to revoke access for a specific integration without affecting others.

Token Caching

Embed token validation is cached for 1 hour in the deploy service for fast response times. After revoking a token, it may take up to 1 hour to fully propagate.

Limits

Max tokens per app	10
Token format	32-character random string
Token expiry	None (revoke manually)
Cache TTL after revocation	Up to 1 hour
Plan requirement	Free (all plans)

Tips

Best practices for embedding GenMB apps in your website or portal.

Separate Tokens

Use separate tokens for separate embed locations for cleaner access control. If one integration is compromised, you only need to revoke that specific token.

Server-Side Token Injection

For customer portals, generate tokens server-side and inject them dynamically into the iframe URL to avoid hardcoding secrets in your frontend code.

Test your embed in a private/incognito window to verify token validation works as expected. This ensures the embed behaves correctly for users who are not signed into GenMB.

FAQs

Can I embed a private app?▾

Yes. For private apps, create an embed token in your app settings. Include the token as a query parameter in the iframe URL and GenMB will validate it to allow access.

Do embed tokens expire?▾

Embed tokens do not have a built-in expiry date, but you can revoke them at any time from your app settings. Once revoked, the token immediately stops working.

Is there a limit on how many sites can embed my app?▾

No. A single token can be used in as many iframes as needed. You can create up to 10 tokens per app, which lets you track or restrict access by issuing separate tokens for different embed locations.

Will the embedded app have access to analytics?▾

Yes. The analytics script runs normally inside the iframe and tracks page views, sessions, and referrers just like a standalone deployment.

Can I restrict which domains can embed my app?▾

Currently, embed tokens control access at the token level (valid token = access). Domain-level allowlisting is not yet supported.

Ready to build?

Create your first app for free — no credit card required.

SEO & Discoverability AI Assistants