This isn't a technical question but one about best practices when using Metabase.
Gregory MS is a website built using a static site generator (Hugo). Some pages contain questions and dashboards, and the user can only download the data if I embed the dashboard with the embed token.
For example: https://gregory-ms.com/observatory/ocrelizumab/
From my perspective there isn't too much of a problem in sharing the token per se. Or is there some security issue I am missing?
Hi @brunoamaral
So the example is using Public Sharing, not Signed Embedding.
Are you trying to do Signed Embedding? If yes, then the embedding secret should never be exposed to the end-user, so it would require some server-side function that generates the token for you.
yes that is exactly what I am trying to do.
In that case I need to think of some way to build the site and allow the visitors to view the embed. The site rebuilds every hour, would setting a 60 minute token be a good way to go about this?
@brunoamaral That's an option - I would probably do something like 70 minutes in case someone visits 2 seconds before the rebuild, then they can still browse for 10 minutes.
Or build a javascript check which refreshes the site if the token is expired.