You can pass information about the workspace and the user through the embed widget by using these custom parameters in the URL:
_HS_USER_ID_ - user id in current workspace
_HS_FIRSTNAME_ - user firstname
_HS_LASTNAME_ - user lastname
_HS_EMAIL_ - user email
_HS_PAGE_URL_ - current url of the page that the embed widget is located. Has also the workspace domain in it.
_HS_TIMESTAMP_ - unix timestamp for the moment embed was loaded
For example you can have an embed url like this:https://www.example.com/?email=_HS_EMAIL_&ts=_HS_TIMESTAMP_ and it would be changed to something like this when loaded: https://www.example.com/[email protected]&ts=1710746815
Validating the parameters
Sometimes it is important to disable the possibility to manually change the parameters. In case you use a user ID or email to load something dynamic for the user and don't want to allow people to see views that are meant for other users, you should add a signature to the embed and use that to validate the request.
You can add a signature by using an iframe element instead of just the URL. Here is an example embed code:
<iframe role="presentation" src="https://www.example.com/?name=_HS_FIRSTNAME_&time=_HS_TIMESTAMP_" width="100%" height="56.25%" data-sig-secret="verysecret" data-sig-param="signature" allowfullscreen></iframe>
In this example the embed URL would be something like this: https://www.example.com?test=Antti&time=1710746815&signature=700686e65515ed8db4c7373ad98f89ef9edab2a9311da28d1e290f292df5c879
The signature in the URL is calculated using the HMAC method with sha246 as hashing algorithm. String for the hash is querystring without signature (test=Antti&time=1710746815 in this example) and with the verysecret as a secret.