Goal

Render the MexCep changelog inside any third-party site (status page, internal wiki, partner portal) without writing JavaScript. The endpoint returns a self-contained HTML document with inline CSS; embed it via a single <iframe> and it works everywhere.

Prerequisites

None for the request itself. The widget supports anonymous traffic and serves public-audience entries.

Steps

1. Drop the iframe into your page

<iframe
  src="https://api.example.com/v1/public/changelog/embed?lang=en"
  width="100%"
  height="600"
  frameborder="0"
  title="MexCep Changelog">
</iframe>

The widget renders a scrollable list of recent entries with title, date, summary, and a category badge. A "View all" footer link points to the full changelog page.

2. Customize via query params

All parameters are optional.

ParamDefaultDescription
langenDisplay language. Accepted: en, es.
limit10Number of entries to show (1–30; values outside the range are clamped).
audiencepublicAudience filter. Accepted: public, admin (admin requires cookie + docs:read).
<!-- Spanish, last 5 entries -->
<iframe src="https://api.example.com/v1/public/changelog/embed?lang=es&limit=5"
        width="100%" height="400" frameborder="0"></iframe>

<!-- Public audience, last 20 entries -->
<iframe src="https://api.example.com/v1/public/changelog/embed?audience=public&limit=20"
        width="100%" height="800" frameborder="0"></iframe>

3. Styling

The widget ships with minimal inline CSS. Single-column responsive layout. Typography inherits from the widget's own stylesheet, not from the parent page — this is expected iframe isolation behavior.

The stylesheet reacts to the visitor's OS preference via prefers-color-scheme:

  • Light mode: white background, dark text.
  • Dark mode: near-black background, light text.

No class names, CSS variables, or theme tokens are exposed for external override. If you need full visual control, call GET /v1/public/changelog directly and render your own HTML.

4. iframe + CORS headers

The endpoint serves on every response:

Content-Security-Policy: frame-ancestors *
X-Frame-Options: ALLOWALL

The widget can be embedded from any domain, including localhost, file://, and third-party sites. There is no allowlist to configure.

5. Caching

Responses are cached for 5 minutes (Cache-Control: public, max-age=300, must-revalidate). After a new release publishes, the iframe refreshes on the next reload within 5 minutes.

Errors

StatusCodeCause
400invalid_lang / invalid_audienceParam value outside the enum.
401unauthorizedRequested audience=admin without cookie auth.
403forbiddenCookie present but missing docs:read.
429rate_limitedExcessive widget requests from the same IP.

Notes

  • The widget is a full HTML document, not a fragment — embed it via <iframe>, not dangerouslySetInnerHTML.
  • See Subscribe to the Atom feed or Subscribe to the JSON feed if you want push-style integration with an RSS reader instead of an iframe.
  • ADR-0090 (URL Convention) explains the /v1/public/* namespace move.

New in v1.49.6 — see ADR-0090.