Skip to main content

Tokens

Generate popout tokens for OBS browser sources, dashboards, and other unattended views that need access to your account without a logged-in browser session.

What Are Popout Tokens?

Popout tokens (prefix lm_pop_) are non-expiring secret strings that authenticate a single URL without your browser cookies. They are designed for:

  • OBS browser sources — drop a URL with ?token=lm_pop_… into OBS, no login UI required
  • Stream-deck buttons — open a popout view directly to a control surface
  • Shared dashboards — give a moderator read-only access to a single view
  • Remote control overlays — receive live events on another machine

Creating a Token

  1. Go to Dashboard → Tokens
  2. Click Create
  3. Optionally enter a label (only for your reference)
  4. Optionally assign the token to a specific member so its actions are attributed to that user
  5. Select the permissions the token may use (e.g. events:read, chat:read, spotify:read, spotify:playback, automations:execute)
  6. Click Create and copy the full token immediately — the secret is shown only once

A token can never grant more permissions than the user who created it. If you lose your access to a permission later, the token loses it too.

Using a Token

Append the token as a ?token= query parameter to any URL that supports popout authentication:

https://lumio.vision/popout/events?token=lm_pop_xxxxxxxxxxxx

The token is read by the page on load. WebSocket subscriptions, REST proxy calls, and SSR data all reuse the same token automatically — you only need to pass it once in the URL.

Where Popout Tokens Work

Lumio currently exposes four popout pages and the public overlay route. Popouts live on the dashboard host (lumio.vision) and accept ?token= for popout-token auth. Overlays live on a dedicated, configurable external host (overlay.lumio.vision in the official Lumio deployment — set via the NEXT_PUBLIC_OVERLAY_URL env var on the webapp) and authenticate via their own non-enumerable key — no popout token needed.

URLHostWhat it showsRecommended permissions
/popout/eventslumio.visionLive event feed (followers, subs, cheers, raids, redemptions, tips) with channel-status indicatorevents:read (+ chat:userinfo for enriched profiles)
/popout/chatlumio.visionUnified multi-platform chat view with moderation actionschat:read (+ chat:write to send, chat:ban/chat:timeout/chat:delete to moderate)
/popout/musiclumio.visionSpotify "now playing" widget with playback controlsspotify:read (+ spotify:playback to control playback)
/popout/obslumio.visionOBS Remote control panel (scenes, stream/recording state)settings:read
/overlay/\{key\}overlay.lumio.visionAny overlay, rendered as a browser sourcepublic — no token needed; uses the overlay's own non-enumerable key
/overlay/\{key\}/previewoverlay.lumio.visionPreview of an overlay inside the dashboardsame as above

Overlays are intentionally separate: they authenticate via the overlay's own secret key (not a popout token), because OBS browser sources are world-readable URLs.

OBS Browser Source Setup

  1. Create the popout token with the permissions you need (for /popout/events you only need events:read)
  2. Copy the full popout URL with ?token=lm_pop_… from the Tokens page
  3. In OBS: Add → Browser, paste the URL
  4. Width/height: 400×600 for chat, 600×120 for music, 500×400 for events (rule of thumb)
  5. Custom CSS (optional): body { background: transparent; } if the popout doesn't already render transparent

Token Management

  • Edit — change label, assigned member, or permissions any time
  • Revoke — delete the token; all popout URLs using it stop working immediately
  • No expiry — tokens live until you revoke them
  • Audit — actions performed via a popout token are attributed in the audit log either to the assigned member (if set) or to the token's creator

Security Notes

  • A popout token is a bearer credential — anyone with the URL has the same access. Treat it like a password.
  • URLs are visible in browser history, screen shares and OBS scene exports. Use a member assignment + minimum-permission set so a leaked token can't be abused.
  • Revoke tokens immediately if a streamer leaves your team or if you suspect a leak.
  • Never paste a popout token into a public chat, ticket, or screenshot.

API

TypeEndpointPermission
GraphQL QuerypopoutTokenstokens:read
GraphQL QuerymyPermissionsany authenticated — used by popout pages to know what they can render
GraphQL MutationcreatePopoutToken(input)tokens:create
GraphQL MutationupdatePopoutToken(id, input)tokens:edit
GraphQL MutationdeletePopoutToken(id)tokens:delete
RESTGET /v1/tokenstokens:read
RESTGET /v1/tokens/meany authenticated — returns the current caller's resolved permission set
RESTPOST /v1/tokenstokens:create
RESTPUT /v1/tokens/\{id\}tokens:edit
RESTDELETE /v1/tokens/\{id\}tokens:delete