# How to fix "Access Denied" in your embed (JWT)

> Safari and privacy tools strip referrer headers — JWT authentication keeps your embed loading for everyone

- **URL**: https://orshot.com/help/embed-fix-access-denied

---

Your embed validates domains using the browser's referrer header. Safari, privacy extensions and mobile webviews sometimes strip it — and those users see **Access Denied** even from an allowed domain. JWT authentication fixes this.

## 1. Generate a signing secret

In **Orshot Embed** settings, expand **Authentication (JWT)** and generate your **Signing Secret**:

![The Authentication section with the signing secret](https://orshot.com/help/embed/auth-1-jwt.webp)

## 2. Sign a token on your server```javascript
const jwt = require("jsonwebtoken");

const token = jwt.sign(
  { embedId: "YOUR_EMBED_ID", nonce: Math.random() },
  process.env.ORSHOT_SIGNING_SECRET,
  { expiresIn: "1h" }
);
```## 3. Pass it in the embed URL```text
https://orshot.com/embeds/YOUR_EMBED_ID?token=YOUR_JWT
```A valid token bypasses referrer validation entirely. Invalid or expired tokens fall back to standard domain checking — nothing breaks.

## Related