> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pixy.art/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Use embed keys and allowed origins to control where the editor can load.

## Embed Key

The embedded editor is authenticated with an `embedKey`.

Pass the key as the `embedKey` option when you use the SDK, or as the `embedKey` query parameter when you use a plain iframe.

<CodeGroup>
  ```html SDK theme={null}
  <script src="https://app.pixy.art/embed/sdk"></script>
  <div id="pixy" style="width: 100%; height: 900px;"></div>
  <script>
    window.Pixy.mount('#pixy', {
      embedKey: 'YOUR_EMBED_KEY',
      width: 1080,
      height: 1080,
    })
  </script>
  ```

  ```html Iframe theme={null}
  <iframe
    src="https://app.pixy.art/embed/editor?embedKey=YOUR_EMBED_KEY&width=1080&height=1080"
    width="100%"
    height="720"
    style="border:0;"
  ></iframe>
  ```
</CodeGroup>

Use a `designId` instead of `width` and `height` when you want to open an existing design. For full launch examples, see [How to use](/embed/how-to-use).

You can create or manage your embed key from the [Embed dashboard](https://app.pixy.art/embed).

## Allowed Origins

Allowed domains are checked before the embed editor loads.

* Add one domain per line in the Pixy Embed page.
* Leave the list empty to block all external embeds by default.
* Enter bare domains like `onecompiler.com` or full origins like `https://onecompiler.com`.

## Automation Key vs Embed Key

Use an Automation key for server-side Automation API requests.

Use an embed key for client-side embedded editor sessions.

<Warning>
  Do not use your Automation key in browser-side embed code.
</Warning>

## Checklist

Before going live:

* add your production domain to allowed origins
* add your staging domain if you test embeds outside production
* keep Automation keys server-side
* rotate keys if you believe they have been exposed