Reference
Status codes, rate limits and CSP rules for the embedded card.
Status codes
The iframe internally calls the Osteocom endpoint GET /api2/embed/content-licensing/product-status. The response is always HTTP 200 and the actual outcome is in the status field. Status values are kept generic by design — Osteocom doesn't disclose whether a partner exists or which products another partner has in its catalog.
| Status | Card state | Meaning |
|---|---|---|
Ok | Available | The customer can buy this course. |
AlreadyOwned | Already purchased | The customer already has an active activation for this course. |
InvalidInput | Content unavailable | Required parameters missing or malformed (for example a non-ObjectId productId). |
InvalidClient | Content unavailable | Unknown clientId or partner offline. |
IntegrationMismatch | Content unavailable | The partner is configured for a different integration type (not iframe). |
ProductNotFound | Content unavailable | The productId does not exist on Osteocom. |
ProductNotInCatalog | Content unavailable | The product is not enabled in your per-partner catalog. |
INFO
Note that all error statuses render the same neutral placeholder in the iframe. If you suspect a misconfiguration during testing, reach out to Osteocom Support with the iframe URL you're using — we'll diagnose from our side.
Rate limiting
The product-status endpoint is rate-limited per client IP to keep the surface clean from abuse. Limits are tuned to be invisible to legitimate iframe loads but make enumeration attacks impractical.
When the limit is hit, the endpoint returns HTTP 429 Too Many Requests. The iframe will render the neutral "Content unavailable" placeholder until the budget refills.
TIP
In practice you should never hit this in normal usage — a real customer loads the iframe a handful of times per session. If you see consistent 429 responses, contact us so we can investigate together.
CSP frame-ancestors
Every response from /embed/ paths carries a Content-Security-Policy header with a frame-ancestors directive that lists the partner domains allowed to host the iframe. Browsers enforce this directive and block any embed coming from a non-listed origin.
To add a new domain (a new subdomain, a staging environment, a new top-level domain) send us the exact origin — scheme included, no trailing slash, no path. For example:
- ✅
https://lms.partner.com - ✅
https://staging.partner.com - ❌
https://lms.partner.com/(trailing slash) - ❌
lms.partner.com(missing scheme) - ❌
https://lms.partner.com/courses(path included)
We'll add it to your whitelist and apply the change.