Overview
WhataBot’s flow editor can be embedded directly into your own application using an iframe. This allows you to offer flow-building capabilities to your users without them needing to leave your platform.Requirements
To embed the flow editor, you need:- An OAuth client — created in your workspace settings, providing a
clientIdandclientSecret. - A workspace with
iframe_enabledset totrue— iframe embedding must be explicitly enabled on the workspace. - A backend service — your server handles the authentication handshake so the client secret is never exposed to the browser.
The
clientSecret must never be exposed in frontend code. All authentication with the client secret must happen on your backend. See Embed Authentication for the secure flow.How it works
The iframe uses a combination of client credentials and one-time token (OTT) authentication:- Your backend authenticates with WhataBot using the client credentials (Basic Auth).
- WhataBot returns a one-time token (OTT) valid for 60 seconds.
- Your frontend passes the OTT to the iframe, which exchanges it for access and refresh tokens.
- The iframe uses those tokens to interact with the WhataBot API.
Client token scope
Client tokens are scoped to a single workspace. An embedded editor can only access resources within the workspace the OAuth client was created for.Accessible resources
The following resources are available through the embedded editor:Flows
View and edit flows (
GET and PATCH).Flow Backups
View backup history and restore previous versions (
GET and restore).Sectors
View available sectors for the Transfer node (
GET only).Next steps
Embed Authentication
Learn the full 3-step authentication flow for the embedded editor, including code examples.