Authentication
Obtain a rooomAvatars API token and use it in REST API requests and the configurator iframe.
The rooomAvatars stack uses a single API token for two purposes: authenticating REST API calls and initializing the configurator iframe.
Obtaining a token
Log in at avatars.rooom.com or open the developer console at console.avatars.rooom.com to generate an API token.
REST API authentication
Send the token in the Authorization header for all requests to POST /avatar:
Authorization: Bearer API_TOKENReplace API_TOKEN with the token you obtained from the console.
Configurator iframe authentication
Pass the token as a fragment identifier in the iframe src URL:
<iframe src="https://editor.avatars.rooom.com/?transparent#token=API_TOKEN" allow="camera"></iframe>Replace API_TOKEN with the token you obtained from the console. The configurator reads the token on load and immediately removes it from the URL to reduce its exposure.
Origin restriction
The API checks the Origin header of incoming requests against the API_ALLOWED_ORIGIN environment variable. If API_ALLOWED_ORIGIN is set and the request origin does not match, the server responds with 403 Forbidden.
Set API_ALLOWED_ORIGIN to the origin of your embedding page (for example https://example.com) to restrict which sites can call the API.