Embed tokens

A read-only iframe, safely.

To put the assistant on a shop-floor screen, never ship an API key to the browser. Mint a short-lived, read-only, project-scoped embed token from your backend.

1. Mint (server-side, with your API key)

bash

curl -s -X POST "https://app.plcs.ai/api/v1/embed-tokens" \
  -H "Authorization: Bearer $PLCS_API_KEY" \
  -H "Content-Type: application/json" \
  -H "Idempotency-Key: $(uuidgen)" \
  -d '{ "project_id": "prj_…" }'

json

{
  "token": "eyJvcmdJ…<signed>",
  "expires_at": "2026-05-31T18:15:00.000Z",
  "permissions": { "ai_explain": true, "hmi_view": true },
  "project_id": "prj_…"
}

2. Load the iframe (in the browser)

html

<iframe
  src="https://app.plcs.ai/embed/chat?et=eyJvcmdJ…"
  style="width:100%;height:600px;border:0"
  title="PLCs.ai assistant"></iframe>

The read-only guarantee. Regardless of the minting key's scope, the token's permissions are intersected to ai_explain + hmi_view. A token minted even by a broadly-scoped key can never carry a write scope — verified both at mint and at validation. Tokens are short-lived (default 15 min); mint a fresh one when it expires.