1. Help center

Why Iframely only supports public URLs

Last updated:

Iframely is designed to make embedding content from the Web easy and reliable. However, generally speaking, we only support embedding publicly accessible URLs and do not support private or restricted URLs that otherwise require a user interaction, such as authentication.

What are public and private URLs

Public URLs are links that Iframely can fetch without user interaction. Content on these URLs can be accessed without logging in or bypassing any security measures. For instance, a publicly shared YouTube video or a news article from a major website are examples of content with public URLs.

Private URLs are links that are restricted to certain users or require authentication to view. These include links that redirect the Iframely robot to a login page, such as a private social media post. Another type of private URL is when a publisher’s server responds to the Iframely robot with an outright HTTP status code 403. In both cases, Iframely will return a 403 status code to our customers.

Why Iframely only supports public URLs

By focusing on public URLs, Iframely ensures a reliable and privacy-friendly embedding experience.

We are committed to never receive, store or process sensitive end-user information. If a publisher supports it, the only way for us to resolve private URLs would be to connect to private publisher’s APIs. It would require handling end-user authentication data, which poses privacy and security risks, especially considering an unknown scope of use of such private data by our customers.

Limiting embeds to public URLs is in line with our privacy policy and keeps Iframely compliant with industry best security practices.

A better way for the industry

Iframely promotes a better approach to embedding of protected resources. We worked with a number of publishers to make the resources that require end-user authentication be available on Iframely nonetheless.

The approach is simple: publisher responds to Iframely with regular data, including an iframe code. The publisher handles user authentication on its own within that iframe, including, if required, logging a user in.

Iframely supports a number of publishers this way, included but not limited to Figma, Miro, Loom, Tableau, Mixpanel, Soundcloud, Vimeo and Google Docs.