Authentication
Use the Docs Embed with sites that require authentication by passing visitor tokens or using authenticated access
If your GitBook documentation requires authentication (e.g., visitor authentication via OIDC, Auth0, or a custom backend), the embed cannot access your docs content unless the user's authentication token is provided.
There are two approaches:
Pass the token directly (recommended) - Initialize the embed with the visitor token
Use cookie-based detection - Check for the token in cookies before loading
Approach 1: Pass token directly (Recommended)
When initializing the embed, pass the visitor token directly:
<script src="https://docs.company.com/~gitbook/embed/script.js"></script>
<script>
window.GitBook(
"init",
{ siteURL: "https://docs.company.com" },
{ visitor: { token: "your-jwt-token" } }
);
window.GitBook("show");
</script>import { createGitBook } from "@gitbook/embed";
const gitbook = createGitBook({
siteURL: "https://docs.company.com",
});
const iframe = document.createElement("iframe");
iframe.src = gitbook.getFrameURL({
visitor: {
token: "your-jwt-token",
unsignedClaims: { userId: "123", plan: "premium" },
},
});<GitBookProvider siteURL="https://docs.company.com">
<GitBookFrame
visitor={{
token: "your-jwt-token",
unsignedClaims: { userId: "123" },
}}
/>
</GitBookProvider>Approach 2: Cookie-based detection
If your docs site stores the visitor token in cookies (as gitbook-visitor-token), you can check for it before loading the embed.
When a user signs in to your authenticated docs, GitBook stores a visitor token in their browser cookies under the key gitbook-visitor-token. The embed needs this token to fetch content from your docs.
The flow:
User signs in to your docs site
GitBook stores the visitor token in browser cookies
Your app checks for the token
If the token exists, load the embed and pass the token
If the token doesn't exist, prompt the user to sign in
Copy-paste snippet
Use this snippet to load the embed only after a user has signed in:
<script>
(function () {
// Check for the visitor token in cookies
function getCookie(name) {
var value = "; " + document.cookie;
var parts = value.split("; " + name + "=");
if (parts.length === 2) return parts.pop().split(";").shift();
}
var token = getCookie("gitbook-visitor-token");
if (!token) {
console.warn("[Docs Embed] Please sign in to your docs first.");
return;
}
// Token exists, load the embed
var script = document.createElement("script");
script.src = "https://docs.example.com/~gitbook/embed/script.js";
script.async = true;
script.onload = function () {
window.GitBook(
"init",
{ siteURL: "https://docs.example.com" },
{ visitor: { token: token } }
);
window.GitBook("show");
};
document.head.appendChild(script);
})();
</script>Replace docs.example.com with your actual docs site URL.
Alternative: Prompt users to sign in
If the token is missing, you can prompt users to sign in:
<script>
(function () {
function getCookie(name) {
var value = "; " + document.cookie;
var parts = value.split("; " + name + "=");
if (parts.length === 2) return parts.pop().split(";").shift();
}
var token = getCookie("gitbook-visitor-token");
if (!token) {
// Redirect to docs or show a message
alert("Please sign in to your docs to access help.");
window.location.href = "https://docs.example.com";
return;
}
// Load the embed with token
var script = document.createElement("script");
script.src = "https://docs.example.com/~gitbook/embed/script.js";
script.async = true;
script.onload = function () {
window.GitBook(
"init",
{ siteURL: "https://docs.example.com" },
{ visitor: { token: token } }
);
window.GitBook("show");
};
document.head.appendChild(script);
})();
</script>When using the NPM package, check for the token before initializing:
import { createGitBook } from "@gitbook/embed";
function initializeEmbed() {
// Check for token in cookies
const getCookie = (name) => {
const value = `; ${document.cookie}`;
const parts = value.split(`; ${name}=`);
if (parts.length === 2) return parts.pop().split(";").shift();
};
const token = getCookie("gitbook-visitor-token");
if (!token) {
console.warn("[Docs Embed] User must sign in first.");
return null;
}
const gitbook = createGitBook({
siteURL: "https://docs.example.com",
});
const iframe = document.createElement("iframe");
iframe.src = gitbook.getFrameURL({
visitor: { token: token },
});
const frame = gitbook.createFrame(iframe);
document.getElementById("embed-container").appendChild(iframe);
return frame;
}
initializeEmbed();For React apps, conditionally render the embed based on token presence:
import { useEffect, useState } from "react";
import { GitBookProvider, GitBookFrame } from "@gitbook/embed/react";
function App() {
const [token, setToken] = useState(null);
useEffect(() => {
// Check for token in cookies
const getCookie = (name) => {
const value = `; ${document.cookie}`;
const parts = value.split(`; ${name}=`);
if (parts.length === 2) return parts.pop().split(";").shift();
};
const visitorToken = getCookie("gitbook-visitor-token");
setToken(visitorToken);
}, []);
if (!token) {
return (
<div>
<p>Please sign in to access help.</p>
<a href="https://docs.example.com">Sign in</a>
</div>
);
}
return (
<GitBookProvider siteURL="https://docs.example.com">
<YourAppContent />
<GitBookFrame visitor={{ token: token }} />
</GitBookProvider>
);
}Common pitfalls
Loading the embed before sign-in – Always check for the token before loading the script or components, or pass the token directly when initializing.
Token not persisting across domains – Cookies don't persist across different domains due to browser security policies. Your app and docs must be on the same domain or subdomain, or pass the token directly.
Token expired – Tokens can expire. If the embed returns authentication errors, prompt users to sign in again.
Using wrong cookie name – The token is stored as
gitbook-visitor-token, notgitbook-tokenor other variations.Not passing token to init/getFrameURL – When using the cookie-based approach, make sure to pass the token to
GitBook('init', ..., { visitor: { token } })orgetFrameURL({ visitor: { token } }).
Debugging
To verify the token is present, open your browser console and run:
document.cookie.split(";").find((c) => c.includes("gitbook-visitor-token"));If this returns undefined, the user hasn't signed in to your docs yet.
Next steps
Customizing the Embed – Add welcome messages and actions
Creating custom tools – Integrate with your product APIs
Docs Embed documentation – Complete embedding guide
Last updated
Was this helpful?