FAQ
Short answers to the questions integrators ask most often.
Quick answers to common questions. For step-by-step fixes, see Common issues; for exact API behaviour, see the API reference.
Is the embed key a secret?
No. The embed key (tpl_…) is a public, read-only token scoped to a single install template. It's safe in client-side HTML and source control. The secret credential is the account API key (sk_live_…), which is write-scoped and must stay server-side. See Embed keys vs account keys.
Does the widget add a dependency or slow my page down?
No. The widget is vanilla JavaScript with no dependencies and loads asynchronously. Load it with defer (or dynamically) and it won't block rendering. It mounts into a Shadow DOM, so it never touches your global styles or scripts.
Will the widget's CSS clash with my site?
No. Everything renders inside a Shadow DOM, so your page CSS can't leak in and the widget's CSS can't leak out. You customise the look through a small set of theme tokens — see Custom styling.
Can I host the widget inside an iframe?
Yes. Set data-iframe="true" (or iframe: true in Inboard.init()) and the widget mounts in a sandboxed iframe and uses postMessage for callbacks. Note that auto-detection relies on reading the host page URL, so you may want to pass data-platform explicitly when isolating in an iframe.
How does the widget know the installer's platform?
It auto-detects from signals on the page. You can override detection with data-platform, and the widget always offers a manual picker as a fallback. See Multi-platform support.
Are secret values ever sent to Inboard?
No. A variable defined as secret is substituted into the rendered guide in the browser and never leaves it — it isn't stored, logged, or included in analytics or webhook payloads. Use secret for any API keys or tokens you prompt installers for. See Variable handling.
What happens when I rotate an embed key?
Rotating issues a new key immediately. The old key keeps working for 24 hours so you have a window to update your embeds before it stops resolving. Account API keys, by contrast, are revoked instantly on rotation.
Which languages does the widget support?
The widget renders in the installer's browser locale where a translation exists, and falls back to the template's default language otherwise. You can force a language with data-locale. See the data-locale attribute in Configuration for the supported tags (en, fr, de, es) and fallback behaviour.
Can I call the API directly instead of using the widget?
Yes. The same public endpoints the widget uses are documented in the API reference — GET /v1/guides/:embedKey, POST /v1/events, and POST /v1/verify. Authenticate read-only calls with the embed key.
Do I need a paid plan to embed the widget?
No. The Free plan includes a monthly install allowance. Programmatic account-level API access (account keys) is a Business-plan feature. See Billing.
How do I verify a snippet hasn't been tampered with?
Code snippets are signed with Ed25519. The widget shows the signature so installers can confirm the snippet came from you unaltered, and a public viewer lets anyone audit the contents. See Security.
Still have a question?
Check Common issues or reach out — include the requestId from any failing request so we can help faster.