Embed — /api/embed/*
Routes that back the universal embed tracker (zeq-embed.js). Same posture as Google Analytics or Plausible: a public-prefix zsm_pub_… key per state machine, scrape-resistant rate limits, schema validation, optional origin allowlist. The owner's write-back zsm_… key NEVER ships in an embed.
Concept: Embed snippet. Threat model: Embed + hosting security.
Endpoints
| Method | Path | Auth | Notes |
|---|---|---|---|
POST | /api/embed/:slug/ingest | X-Zsm-Key: zsm_pub_… | Beacon endpoint. JSON body, ≤ 4 KB. |
GET | /api/embed/:slug/recent | Bearer (viewer+) | Owner's read-back of recent beacons. |
GET | /api/embed/:slug/pixel | querystring k=zsm_pub_… | NoScript / pixel heartbeat (returns 1×1 GIF). |
Status — coming soon. The embed snippet HTML and threat model are finalized at
outputs/zeq-embed.snippet.htmlandoutputs/embed-and-host-security.md. The HTTP routes ship in the next phase release; this page documents the contract so SDKs and operators can pre-integrate.
CORS
/api/embed/:slug/ingest is the only route on zeq.dev that allows wildcard CORS:
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: POST, OPTIONS
Access-Control-Allow-Headers: Content-Type, X-Zsm-Key
No Access-Control-Allow-Credentials — embed is cookie-less by design.
Rate limits
- 60 req/min/IP per machine.
- 600 req/min per machine across IPs.
- 6,000 req/day per machine.
- Body size: 4 KB per beacon, 64 KB max payload.