Add docs for api/fabric/embeds/token endpoint#120
Conversation
diego-signalwire
requested review from
Devon-White,
briankwest,
hey-august and
niravcodes
as code owners
✅ Deploy Preview for signalwire-docs ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
|
@diego-signalwire Since this is the fabric endpoint, and not all endpoints have been copnverted to TypeSpec, we will need to take the generated spec for this endpoint and migrate it over to the Once all fabric endpoints are converted to TypeSpec, we wont have to worry about this issue anymore. |
|
@diego-signalwire If the endpoint is not meant to have any auth, we can actually hardset this in TypeSpec utilizing the // Define the API path for embeds
@useAuth({ type: Http.AuthType.noAuth })
@route("/embeds/tokens")
namespace FabricAPI.EmbedsTokens {
@tag("Embeds Tokens")
@friendlyName("Embeds Tokens")
interface EmbedsTokens {
@summary("Create Embeds Tokens")
@post
create(@body body: EmbedsTokensRequest):
{ @statusCode statusCode: 201; @body subscriber: EmbedsTokensResponse; } |
StatusCode401 |
StatusCode404 |
StatusCode403;
}
}I went ahead and pushed this change. Additionally, the space name doesn't seem to matter in the request url? I was able to provide my c2c token in my space with the random space name of Can I also get clarification on what the endpoint does? It seems to me you provide it a generated c2c token, and can create a embed guest token out of this? I'm not sure i understand the benefit of this, i was already assuming the token created for c2c was already restricted? |
The team thinks that we should not validate the space name and we are using a static request URL on provider callback, usually
I asked about the purpose of this endpoint on the eng-prime-team and this is what I understood about Bryan's response: The C2C (Click-to-Call) token is a public, long-lived identifier that represents a specific C2C configuration. However, it does not provide access on its own — it’s meant to identify which C2C widget you intend to activate. This endpoint exists to exchange the C2C token for a short-lived, private embed guest token that actually authorizes the call. This adds a layer of security: if the public token is compromised or abused, it can be rotated without affecting access control. This approach separates identification (C2C token) from authorization (guest token), which is a common security practice. Let me know if does make sense to you. |
|
@diego-signalwire This does make sense thank you for explaining this! :) Additionally i made the following TypeSpec discussion: microsoft/typespec#6696 Once we get a answer from them, ill know how to go about the URL for this spec. |
|
Regarding the above issue with TypeSpec. It seems the issue has been placed in backlog. Once I'm done with my current priorities, I will look into the best way to handle this. |
OpenAPI Specification AnalysisChanges are compared to the
|
3 participants
REST API Update Pull Request
Related Issue
Issue #13703
Description
Click to Call allows users to embed widgets in their website that let them utilize fabric resources for calling.
To use it, a developer will send a request from a browser or sever with the ApiKey (generated via the UI). If the request is allowed by the settings (assigned address), then we will return a valid SAT token.
Type of Change
Motivation and Context
We don't have this endpoint documented, and we should. The namespace is api/fabric/embeds/tokens, and it is separate from the existing Guest/Invite tokens for subscribers.
The endpoint is public (allows requests without authorization)
The endpoint returns 403 Forbidden if the ApiKey setting is invalid
The endpoint returns a valid SAT if the ApiKey setting is valid
Checklist:
team/developer-experiencelabel in the PR.Additional Notes