Authentication and embedding

I have a few questions regarding authentication and embedding.


  • I want to embed a dashboard in my web application. Only a user who logs in to my app should be able to view the dashboard. I am planning to use one Metabase superuser to display dashboards for my web application (one superuser per client, each client can have ‘n’ users).

What I have tried:

  • Currently I am able to embed a dashboard using the code(and secret embed key) provided in the embed option for the dashboard (for Node.js). But this method doesn’t seem to have any authentication flow since the provided secret key is stored on my server side code and doesn’t require a session id.

  • Embedding the dashboard by generating a secret key using (GET /api/util/random_token) and using that to sign the jwt token instead of the one provided by Metabase in the ‘Embed Section’ of the Admin Panel. I received an error saying that the ‘Message was corrupted or manipulated’.

How I would like the flow to be:

  • When the user logs in to my web app, I want to get a session id using an api (eg. POST /api/session/). Use that session id to generate a secret key using (GET /api/util/random_token). Then use the generated secret key to sign the jwt and call the dashboard using (GET /api/embed/dashboard/:token) in my web application.

Is the above scenario possible ? Or do I only have to use the secret key provided by Metabase in the ‘Embed Section’ of the Admin Panel ? Is embedding and authentication(i.e using Metabase session id) not related ? Any help will be greatly appreciated.


Why do you need a custom secret key.

Your requirements:

  • Only logged in users can access dashboards, can be solved by you, i.e. before you return a signed iframe url just check are they logged in ? if yes, return the iframe url, if not return 401 etc.

  • If you want to pass the User Id to the metabase dashboard/question etc, just embed it as a locked parameter in the signed iframe url

I dont think you need a custom secret key to be honest.

hope that helps.

1 Like

Thanks a lot for your response Mick, that cleared many of my doubts. I had initially thought that saving a secret key in the server might not be safe enough and hence wanted a new secret key every time.

So i went ahead and tried passing the User Id to the dashboard as a locked parameter in the signed iframe url. But when i logged in as user A and used the signed iframe url of user B, it still displayed the dashboard of user B. Is that the correct behaviour ? I was expecting an unauthorised response for user A.

you are generating them per user, per request so how would you be able to use the iframe of user a when you are logged in as user b ?

Hey Mick,
What I did was login on my web application on separate browsers and generate the iframe for each user. I then edited the html in the browser for User B and replaced that user’s iframe with User A’s iframe.

Hi @harshsaudagar, how can I capture this key dynamically using java with this “GET / api / util / random_token”?