Authentication
Obtain a rooomAvatars API token and use it in REST API requests and the configurator iframe.
Are you an LLM? You can read better optimized documentation at /docs/rooom-avatars/api/authentication.md for this page in Markdown format
Use one API token for avatar registration requests and editor iframe initialization.
INFO
rooomAvatars API access requires a token for your integration. If you do not have one, contact rooom Developer Support.
Token Usage
REST API bearer token
Authorization: Bearer API_TOKEN
Send the token in the Authorization header for all requests to POST /avatar:
http
Authorization: Bearer API_TOKENReplace API_TOKEN with the token for your rooomAvatars integration.
Editor iframe token
#token=API_TOKEN
Pass the token as a fragment identifier in the iframe src URL:
html
<!-- API_TOKEN is the token for your rooomAvatars integration. -->
<iframe
src="https://editor.avatars.rooom.com/?transparent#token=API_TOKEN"
allow="camera *; clipboard-read; clipboard-write"
></iframe>The editor reads the token on load and removes the hash fragment from the visible URL. Do not pass the token as a query parameter.
Best Practices
- Store the API token outside client-side source code when you call the REST API from your backend.
- Use the URL hash fragment only for editor iframe initialization.
- Validate iframe messages by
origin,source, andevent.data.sourcebefore reading payloads.