A fictional storefront. Every pixel of this site exists to test embedding.
Self-login: type any email and request a sign-in code. A code is sent only to a provisioned, row-scoped account — unknown or unscoped addresses are refused, and no code is sent. Zero integration — the customer site pastes only the loader.
The launcher bubble appears bottom-right (drag it, click to open). A
6-digit code is emailed only to a provisioned, row-scoped account — e.g.
demo@upcai.info works. A random address gets the same generic
response but no code and no session, so accounts can't be probed. That's
the account check — enforced when the code is requested, not just at
sign-in.
Mint an identity: curl -X POST <origin>/api/engine/embed/sign-test -H "Authorization: Bearer <admin JWT>" -d '{"tenant":"dash","userId":"demo_1","email":"demo@upcai.info","role":"member","entityId":"2197"}'
— the signed blob (not the secret) is what a customer backend renders into their page.