Every Direct Embed widget is driven by an embed token, created on the partner page it belongs to.
An embed token is a powerless, revocablecredential — it is not a /v1 API key. It can only render and book the catalogs it is scoped to on the domains you allow; it cannot call the public API or read/write anything outside the booking widget. Tokens are created and revoked on the partner detail page, not in Step 1 of Getting Started, which covers the separate, full-power API key.
A partner can have several tokens, each scoped to a different subset of catalogs, domain list, and redirect/track-source setting — for example, one token for a marketing microsite showing only your “Featured” catalog, and another for the partner's main app showing everything. Revoke a token at any time from the same list; it stops working immediately — existing embeds stop loading items (the widget then has nothing to show).
If you're embedding on a Webflow site, register the site's published domain (not the.webflow.io staging domain) in the token's allowed domains, e.g. https://www.example.com. If the site is published under multiple subdomains you don't want to list individually, use a wildcard such as https://*.example.com. Update the allowed domains whenever the published domain changes (e.g. after connecting a custom domain in Webflow).
Paste the generated snippet directly into your site HTML (or a Webflow embed block):
<iframe
src="https://bookr.studio/embed/your-workspace?token=YOUR_EMBED_TOKEN"
width="100%"
height="600"
frameborder="0"
></iframe>See Getting Started for the full list of URL parameters the widget accepts.