Skip to content
AlumiaDocs

Search docs

Find pages, headings, and concepts. Press ⌘K or Ctrl+K to toggle.

Share a canvas

Generate a read-only /share/[token] link, control what's visible, and revoke when done.

Open in ChatGPTOpen in Claude

Every project canvas can be shared as a read-only link. The recipient does not need an Alumia account; they get a snapshot of what's on the canvas, scoped by what you've published.

1. Open the project

Navigate to /<orgSlug>/projects/<projectSlug>. You need permission to share — typically project owners and org admins. The project hub at /<orgSlug>/lab lists projects; opening one lands on the canonical canvas route above.

Open the project's Share dialog from the canvas toolbar. Enabling, updating, or revoking share links requires a browser session with fresh step-up (passkey or TOTP) — API keys cannot manage project sharing.

Enable sharing. The platform generates a 72-character share_token (stored on projects.share_token with a unique index) and a URL of the form:

https://alumia.com/share/project/<token>

Copy the URL. The token itself is the only credential — anyone with it can open the page.

3. What the recipient sees

The shared route is /share/project/[token] (page) and is backed by GET /api/v1/share/project/[token] (legacy GET /api/v1/share/lab/[token] redirects to the same payload). It returns a read-only view of the project's canvas:

  • All visible blocks render.
  • Agent sessions and message history render the same way they do in the lab.
  • The canvas toolbar (snap-to-grid, alignment-guides toggle, resize handles) is hidden — viewers can pan, zoom, and inspect but cannot edit.
  • The recipient cannot send messages, edit blocks, run tools, or invoke agents.
  • The recipient cannot see other projects in your org.

The recipient does not see your billing, settings, API keys, connector credentials, or any project they weren't explicitly given.

Share landing pages read copy from messages/*/share.json so app and project links render localized titles and descriptions.

When you paste a share URL into Twitter, WhatsApp, LinkedIn, Slack, iMessage, or any other unfurler, the preview is generated dynamically by next/og for each share route:

  • The card includes the project's name and emoji
  • The black-on-dark Alumia mark sits top-left; canvas-style typography fills the rest of the 1200×630 frame
  • themeColor is wired up so WhatsApp's preview frame and mobile browser chrome pick up the brand
  • Shared pages emit <meta name="robots" content="noindex,nofollow"> so the URL never lands in Google or Bing
  • App-only shares use a separate dynamic card via /share/app/[token]/opengraph-image

4. What's not shared

Sharing publishes the canvas. It does not expose:

  • Provider keys, API keys, or any secret values.
  • Connector credentials or OAuth tokens.
  • Memories that aren't materialised on the canvas.
  • Other agents in the org that aren't part of this project.

Treat the URL itself as sensitive — the token is the access control. Anyone who gets the URL gets the view.

5. Revoke

Open the Share dialog again and turn sharing off. The token is cleared from projects.share_token immediately. Any open /share/project/<token> tab returns 404 on the next request.

If you suspect a token leaked, revoke first, then regenerate — the next enable produces a brand-new token.

6. Rotate

There is no separate "rotate" action. To rotate, revoke and re-enable. Update the recipient with the new URL.

Common uses

  • Show a stakeholder a research canvas without inviting them to the org.
  • Hand off a generated artefact (document, code block, chart) without exporting.
  • Embed the URL in a status update so reviewers can see live progress.

For project visibility within the org (Private vs Team), see Projects & workspaces. Sharing via token is a separate axis — you can keep a project Private inside the org and still publish a read-only token externally.