If so then is there any way to restrict use of that method? Or, just allow embedding URLs in iframes, but not direct API calls?
Does Qlik Sense have any access settings that prevent users from using the APIs?
1) If the script is served by Qlik Sense Server, the administrator need to upload the page/Mashup/script on the Server
2) If the script is served by a third server, those server need to be allowed to the CORS by an Administrator.