Skip to main content
Every completed run returns an edit_url alongside the download_url. Drop it into an <iframe> and your users see the generated document rendered as a full, interactive spreadsheet, document, or presentation surface inside your app — no file download, no third-party viewer, no infrastructure to manage on your side. 
{
  "run_id": "run_01HXYZ",
  "download_url": "https://backend.overtenai.com/api/v1/runs/run_01HXYZ/download",
  "edit_url":     "https://backend.overtenai.com/api/v1/edit/run_01HXYZ?token=..."
}
The editor behind the edit_url is the same one the Overten web app uses. Users can scroll, zoom, switch sheets or slides, edit cell values, rewrite text, and move slides. Changes auto-save back to the run’s artifact — the next download_url fetch serves the updated file.

download_url vs edit_url — when to use which

download_urledit_url
What you getA URL to the raw file bytesAn iframe-ready URL to a live document viewer
Primary useSave to disk, email, feed another pipelineShow the AI’s output in your app for users to inspect
Interactive?No — one-way pullYes — scroll, zoom, switch sheets/slides, edit cells
User can edit?N/AYes — edits persist to the run’s artifact
Lifetime24 hours (signed storage URL)15 minutes, sliding on activity
Safe to share cross-app?No — grants file accessNo — grants view access to one run
Most integrations use both: the edit_url inside a dashboard so users see results immediately, and a “Download” button backed by download_url so users can take the file elsewhere.

How it works end-to-end

1

Generate a document

Call POST /excel/generate (or /word/generate or /slides/generate) with your prompt. The response includes both download_url and edit_url.
2

Embed the edit_url in your UI

Set the edit_url as the src of an <iframe> in your app. No extra backend work needed.
3

Overten validates and renders

When the iframe loads, Overten validates the token, retrieves the run’s file from storage, and streams a rendering of the document into the frame.
4

User edits stay in Overten

Every scroll, click, or edit the user makes happens between the browser and Overten — your app never sees the content bytes, never handles file parsing, and never runs a viewer itself.

Basic embed

<iframe
  src="{{ run.edit_url }}"
  width="100%"
  height="800"
  allow="clipboard-read; clipboard-write"
  sandbox="allow-scripts allow-same-origin allow-forms"
></iframe>
React: 
function DocumentViewer({ run }) {
  return (
    <iframe
      src={run.edit_url}
      title="Document viewer"
      style={{ width: "100%", height: "100vh", border: 0 }}
      allow="clipboard-read; clipboard-write"
    />
  );
}

Token semantics

The token query parameter in the edit_url is what ties a particular iframe session to a specific run. Key properties:
  • Opaque — a random string, not a JWT. Generated and validated entirely by Overten. Don’t try to parse it client-side.
  • Scoped to one run and your org — if someone copy-pastes the URL, the token only unlocks this document for your org. It can’t be used to access other runs.
  • Short-lived with sliding expiry — expires 15 minutes after the last user activity. Active viewer sessions refresh the TTL automatically; idle sessions (user closed the tab) expire on their own.
  • No explicit revoke endpoint today — the short sliding TTL is the primary mitigation. If you suspect a leak before a token has naturally expired, contact support with the run_id and we can invalidate it on our side.

How edits work

Two edit paths compose cleanly: In-iframe edits: The user types in a cell, rewrites a paragraph, or moves a slide. Edits auto-save to the run’s artifact (the same storage location download_url points at). The next fetch serves the updated bytes. Agent-driven edits via API: Call the generation endpoint with the original run_id and a new prompt. The agent picks up the current state — including any in-iframe edits the user made — and applies the change on top: 
resp = requests.post(
    f"{API}/excel/generate",
    headers=headers,
    json={
        "run_id": "run_01HXYZ",
        "prompt": "Apply a % YoY column to the Summary sheet "
                  "and extend the headcount chart through Q4.",
    },
)
Agent follow-ups via run_id are cheap because the agent resumes from saved state rather than rebuilding. Every generate response includes a fresh edit_url and download_url.

Refreshing an expired URL

If the edit_url has expired (for example, a user returns to your dashboard the next day to reopen a document), call the generation endpoint again with the original run_id and a minimal prompt: 
curl -X POST "https://backend.overtenai.com/api/v1/excel/generate" \
  -H "Authorization: Bearer $OVERTEN_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "run_id": "run_01HXYZ",
    "prompt": "(no change — just reopening the session)"
  }'
The response includes a fresh edit_url with a new token. The call is cheap because the agent resumes from existing state rather than starting from scratch.

What edit_url is not

The iframe renders the document live; the raw file bytes never land on the user’s disk via this route. Use download_url for file downloads.
In-iframe edits are designed for human users. For server-side code that applies structured changes, use the generation endpoint with run_id — that path is auditable, has a ledger row, and doesn’t require a browser.
Your users don’t need Excel, Word, or PowerPoint installed locally. The viewer runs entirely in the browser.

Security considerations

  • Mint per viewer session. Don’t store a single edit_url server-side and serve it to multiple users. Each user should get a freshly-minted URL from the latest generation response.
  • Strip tokens from logs and analytics. Drop the token query parameter before recording page URLs in your observability tools.
  • Restrict frame ancestors. Set a Content-Security-Policy on your parent page limiting which origins can frame your dashboard, so an attacker can’t frame your app and read the iframe state via JavaScript.
  • Prefer your own domain as the parent page. The token is only meaningful in-browser; capturing the URL during a session and opening it from another host still requires getting past the sliding TTL.

White-label and custom branding

By default, the editor shows standard Overten chrome (header and logo). Enterprise customers can configure a white-label version with custom branding. Contact support@overten.ai for details. If you prefer not to use the Overten viewer at all, use download_url and render the file with your own tooling (Google Drive viewer, OnlyOffice, SheetJS, or native Office apps). The API returns both URLs on every run, so you can switch approaches per-user or per-route without changing your generation code.