Limerence
Embedding

Setup

Configure allowed origins for embedding

Before embedding an agent, you must configure which domains are allowed to embed it.

Configure Allowed Origins

  1. Go to Settings → Embed in the Limerence dashboard
  2. Add the full origin URLs where you'll embed the chat widget
  3. Click Save

Origin Format

Origins must be full URLs including the protocol:

✓ https://myapp.com
✓ https://dashboard.myapp.com
✓ http://localhost:3000

✗ myapp.com (missing protocol)
✗ https://myapp.com/page (no paths, origin only)

How Security Works

When a browser requests the embed page, Limerence sets a Content-Security-Policy: frame-ancestors header that lists your allowed origins. The browser checks this header before rendering the iframe:

  1. The server reads your team's allowed origins from the database
  2. It includes them in the CSP frame-ancestors 'self' <origins> directive on the HTML response
  3. If the parent page's origin is not in the list, the browser refuses to render the frame
  4. If no origins are configured, frame-ancestors 'none' is set — blocking all embedding

The embed API endpoints use permissive CORS to allow the chat requests from any origin — the actual access control is the CSP header on the HTML page, not origin checking on individual API calls. The 'self' directive is always included so the Limerence instance can render its own embeds.

Per-Team Configuration

Allowed origins are configured at the team level, not per-agent. All agents in a team share the same allowed origins.

To embed agents from different teams on different domains, configure each team's allowed origins separately.

Testing Locally

Add http://localhost:3000 (or your local port) to test embedding during development. Remember to remove it before going to production.

Troubleshooting

"Embedding not configured" error

No allowed origins are set. Go to Settings → Embed and add at least one origin.

Embed shows blank or refuses to load

Check the browser console for CSP errors. The embedding page's origin must exactly match one of your configured origins.

Embed works locally but not in production

Make sure you've added your production domain (with https://) to the allowed origins list. http://localhost does not cover production deployments.

Clipboard copy not working

Ensure the iframe has allow="clipboard-write". Without this permission, the browser blocks clipboard access inside the frame.

CSP Endpoint

You can query the CSP configuration for any agent programmatically:

GET /embed/<agent-id>/csp

Response: { "frameAncestors": ["https://myapp.com"] }

This returns the list of origins allowed to embed the agent. Useful for debugging CSP issues.

Embedding

Add a Limerence agent to your own application

Iframe Embed

Embed the Limerence chat widget using an iframe.

On this page

Configure Allowed OriginsOrigin FormatHow Security WorksPer-Team ConfigurationTesting LocallyTroubleshootingCSP Endpoint