How to fix "Access Denied" in your embed (JWT)

Safari and privacy tools strip referrer headers — JWT authentication keeps your embed loading for everyone

Your embed validates domains using the browser's referrer header. Safari, privacy extensions and mobile webviews sometimes strip it — and those users see Access Denied even from an allowed domain. JWT authentication fixes this.

1. Generate a signing secret#

In Orshot Embed settings, expand Authentication (JWT) and generate your Signing Secret:

The Authentication section with the signing secret

2. Sign a token on your server#

const jwt = require("jsonwebtoken");

const token = jwt.sign(
  { embedId: "YOUR_EMBED_ID", nonce: Math.random() },
  process.env.ORSHOT_SIGNING_SECRET,
  { expiresIn: "1h" }
);

3. Pass it in the embed URL#

https://orshot.com/embeds/YOUR_EMBED_ID?token=YOUR_JWT

A valid token bypasses referrer validation entirely. Invalid or expired tokens fall back to standard domain checking — nothing breaks.

Keep the secret server-side

Sign tokens on your backend only — never expose the Signing Secret in client code. Short expiries (1h or less) keep tokens low-risk.

Set up Orshot Embed

Domains and embed code basics

JWT authentication docs

Full setup with more languages

How to fix "Access Denied" in your embed (JWT)

1. Generate a signing secret#

2. Sign a token on your server#

3. Pass it in the embed URL#

Keep the secret server-side

Set up Orshot Embed

JWT authentication docs

More in Orshot Embed

Ready to automate?

How to fix "Access Denied" in your embed (JWT)

1. Generate a signing secret#

2. Sign a token on your server#

3. Pass it in the embed URL#

Keep the secret server-side

Related#

Set up Orshot Embed

JWT authentication docs

More in Orshot Embed

Ready to automate?