You can pass information about the workspace and the user throught the embed widget by using these custom parameters in URL:
_HS_USER_ID_ - user id in current workspace
_HS_FIRSTNAME_ - user firstname
_HS_LASTNAME_ - user lastname
_HS_EMAIL_ - user email
_HS_PAGE_URL_ - current url of the page that the embed widget is located. Has also the workspace domain in it.
_HS_TIMESTAMP_ - unix timestamp for the moment embed was loaded
Example you can have embed url like this:https://www.example.com/?email=_HS_EMAIL_&ts=_HS_TIMESTAMP_ and it would be changed to something like this when loaded: https://www.example.com/?email=john.doe@client.org&ts=1710746815
Validating the parameters
Sometimes it is important to disable the possibility to manually change the parameters. In case you use user id or email to load something dynamic just for the certain user and don't want to allow others to see views that are meant for other users. Then you should add signature to the embed and use that to validate the request.
You can add signature by using iframe element instead of just the url. Here is an example embed:
<iframe role="presentation" src="https://www.example.com/?name=_HS_FIRSTNAME_&time=_HS_TIMESTAMP_" width="100%" height="56.25%" data-sig-secret="verysecret" data-sig-param="signature" allowfullscreen></iframe>
In this example the embed url would be something like: https://www.example.com?test=Antti&time=1710746815&signature=700686e65515ed8db4c7373ad98f89ef9edab2a9311da28d1e290f292df5c879
Signature in the url is calculated using HMAC method with sha246 as hashing algorithm. String for the hash is querystring without signature (test=Antti&time=1710746815 in this example) and with the verysecret as a secret.