A signed iframe endpoint at /widget for embedding small server-rendered widgets (charts, metrics, notes, lists) inside posts.
Just paste a URL. The site signs and embeds it for you automatically.
https://adam.holter.com/widget?type=metric&label=Active%20Users&value=12,438&sub=last%2024hThat URL on its own paragraph renders as an iframe. You don’t need to sign it. The server signs it at render time before sending HTML to the browser.
/widget?type=note&title=Heads%20up&text=Posted%20automatically%20from%20Apify.Relative URLs work too, which is convenient for pipelines that don’t know the canonical host.
[holter_widget url="/widget?type=chart&kind=bar&labels=A|B|C&values=10|20|30" height="360"]Params: label, value, sub (optional), color (optional hex).
Params: kind (bar, line, pie, doughnut), title, labels (pipe-delimited), values (pipe-delimited numbers), series (optional dataset label).
Params: title, text.
Params: title, items (pipe-delimited).
/widget request requires a valid HMAC-SHA256 sig derived from the params and a server-side secret. Without a valid signature, the endpoint returns 403.the_content, so URLs in trusted post content get signed; URLs constructed externally cannot be forged.Referer for embedded loads and sets X-Frame-Options: SAMEORIGIN, so widgets only embed on adam.holter.com.type param selects a server-side template; data params are typed and sanitized.Posts published via Apify or any other pipeline only need to emit a paragraph containing a /widget?... URL. No signing step is required upstream. The site handles signing, sandboxing, and embedding on every render.
For URLs you want to use outside post content (e.g. in a Customizer block, an email, an external dashboard), the admin signer at /widget-sign returns a pre-signed URL. Most authors will never need it.