Embeds Guide

Embeds (Pinned and Live)

Embeds let you place a vibe on another site using a sandboxed iframe. Vibecodr provides the embed code so the runnable surface stays isolated from Vibecodr cookies, local storage, owner tools, and private source.

If a vibe also has a claimed vanity URL and you explicitly allow public or allowlisted embeds, that vanity page can be framed directly. Allowing an embed changes where the vibe may appear; it does not make the third-party host a trusted platform surface.

Pinned

Default

Choose an exact embed when the host page needs a fixed published cut. The embed does not move forward unless you copy a new exact embed.

Live

Optional

Choose a live embed when the host page should keep following the vibe's newest published version after BUMP IT updates.

Get an embed code

1. Open a vibe in the player.
2. Choose Embed, then select Pinned or Live.
3. Copy the snippet Vibecodr gives you, including its sandbox and allow settings.

What the snippet should include

A good embed snippet includes a descriptive title, stable dimensions, lazy loading, and the sandbox and allow settings Vibecodr provides for embeds. Some compatibility snippets include device, payment, or clipboard permission tokens so a vibe that asks for those features is not blocked at the iframe boundary before Vibecodr can show its own prompt. Those tokens do not silently approve access: the runtime still asks the viewer through Vibecodr's capability prompt, and the browser may still show its own permission prompt.

• Use a human-readable iframe title that names the vibe.
• Set an explicit width and height, or responsive CSS from the host page.
• Keep the copied sandbox and permission settings intact; they are part of the supported embed compatibility path.
• Do not add camera, microphone, location, payment, or clipboard access on your own. If a vibe needs one of those features, let Vibecodr's runtime permission flow request and gate it.

Embed allowlist

External embeds are off by default. Enable them in Settings > Embed Settings, Pulses > Embedding or the Studio Config panel. The allowlist controls which external sites can host the outer wrapper on embed.vxbe.space. If the vibe has a claimed vanity URL, the same setting also controls which external sites may frame that vanity page directly. This changes supported embed ancestry, not source visibility, owner controls, or who can read private project material.

• Origins must be HTTPS and origin-only (no path/query).
• Add exact origins like https://example.com.
• Use wildcard subdomains like *.example.com when needed.
• First-party surfaces keep working even when external embeds stay off.
• Embeds respect visibility and policy; revoked or private vibes show a safe failure.

Structured embed metadata

Some CMS and publishing tools can discover structured embed metadata from a Vibecodr share URL. Use the host product's add-by-URL flow when it supports that pattern, and prefer Vibecodr's copied embed code when the host asks for raw HTML.

If a host cannot discover the embed automatically, copy the embed snippet from Vibecodr instead of hand-building request URLs.

Caching and Delivery

Vibecodr keeps the fast stuff on direct public hosts and keeps the sensitive stuff on the policy-aware lane. That means public experiences feel snappy without turning previews, private work, or gated artifact delivery into generic CDN objects.

• Embed wrappers revalidate quickly enough that publishes, moderation changes, and live pointer updates can show up without making private work public.
• Public dependency files, avatars, thumbnails, and eligible published runtime files use public delivery lanes. Drafts, private work, and gated artifacts stay behind policy-aware delivery.
• Vibecodr uses edge caching and tiered cache paths so public reads stay fast without making private work public.
• Pulse responses are not cached unless you decide to send your own Cache-Control headers.