Signed embedding

Your embedded forum can be signed with its own API credentials, which allows for other configuration options to be passed securely in an encoded message. For example, this is needs to be set up if you are using the SMALL plan feature Federated Identities, or for the MEDIUM feature Secure Embedding.

First, you’ll want to disable the auto-initialization of the Muut client by removing the class “muut” from the element; then we can initialize it ourselves with our own configuration options, as outlined in the JavaScript section. We’ll be passing an ‘api’ object into the configuration that contains four pieces:

  • key your API key
  • message a base64-encoded JSON object that may be empty, or contain other message data, such as for federated identities
  • signature a sha1 hash of your API secret, the message, and the current timestamp
  • timestamp the same timestamp used to generate the signature

You pass the ‘api’ object, containing those four properties, as part of the client configuration, and you’re all set.


Replace your normal embed code with following:

<script src="//"></script>
<link rel="stylesheet" href="//">
<script src="//"></script>
<a id="my-community" href="">Community</a>

  api: {
    // API key for "YOUR_COMMUNITY_NAME"- community
    key: 'YOUR_API_KEY',

    // generate following on the server side (see below)
    message: 'MESSAGE',
    signature: 'SIGNATURE',
    timestamp: TIMESTAMP

On above code the MESSAGE, SIGNATURE and TIMESTAMP must be generated on the server side


Please choose the programming language of your choice to generate the above variables:

$message = base64_encode(json_encode(array()));
$timestamp = time();
$signature = sha1('YOUR_SECRET_KEY' . ' ' . $message . ' ' . $timestamp);
function SHA1(str) {
  var sum = require('crypto').createHash('sha1')
  return sum.digest('hex')

function BASE64(str) {
  return (new Buffer(str)).toString('base64')

var message = BASE64(JSON.stringify({})),
    timestamp = Math.round( / 1000),
    signature = SHA1('YOUR_SECRET_KEY' + ' ' + message + ' ' + timestamp)
import base64
import hashlib
import json
import time

# Timestamp in seconds (Improves security)
timestamp = int(time.time())

# Message (base64 encoded string)
message = base64.b64encode(json.dumps({}))

# Signature (signed with private key)
signature = hashlib.sha1(
   "YOUR_SECRET_KEY" + " " + message + " " + str(timestamp)).hexdigest()
require 'digest/sha1'
require 'base64'
require 'json'

# timestamp (in seconds). Improves security.
timestamp =

# Message (base64 encoded string)
message = Base64.strict_encode64 {}.to_json

# Signature (signed with private key)
signature = Digest::SHA1.hexdigest "YOUR_SECRET_KEY #{message} #{timestamp}"
C Sharp
// timestamp
double MillesecondsSinceEpoch = new TimeSpan(DateTime.Now.ToUniversalTime().Ticks - new DateTime(1970, 1, 1).Ticks).TotalMilliseconds;
int timestamp = (int)(MillesecondsSinceEpoch / 1000);

// message
string messageJSON = new System.Web.Script.Serialization.JavaScriptSerializer().Serialize(new {});
byte[] messageBytes = System.Text.Encoding.ASCII.GetBytes(messageJSON);
string message = Convert.ToBase64String(messageBytes);

// signature
string signature = string.Format("0 1 2", "YOUR_SECRET_KEY", message64, timestamp);
byte[] signatureBytes = System.Text.Encoding.ASCII.GetBytes(signature);
byte[] hashedSignature = new System.Security.Cryptography.SHA1CryptoServiceProvider().ComputeHash(signatureBytes);
string signature = BitConverter.ToString(hashedSignature).Replace("-", string.Empty);

Make sure that the message and signature are generated on your server and NOT on the frontend using simple Javascript. Otherwise your api secret will be exposed allowing anyone to make signed requests, post as anyone, and act as an administrator.

If you’re working to sign your embed and you just can't get your code to work, reach out to us on our forum for any specific help!

If you use a different programming environment from the above examples we would appreciate you sending a code example to so we can provide that along with this documentation. Thanks in advance!