Securing the Metabase Embed URL with logged in user and Make token expire post logout

Shashank · August 30, 2022, 3:00pm

Hi Team ,

Recently We have been evaluating the metabase for analytic tool. But figured that embeding the metabase exposes the iframe url which is always signed by the SECRET_KEY at server side. Is there any way we can sign the payload with logged in user information and if he tries to access that url outside our embed host website should throw error. is it possible? So technically wants to expire that iframe url once my application is logged out.

flamber · August 31, 2022, 10:58am

Hi @Shashank
You can set exp in JWT to make it expire after just a few seconds if you want that.
You would have to do some reverse-proxying to block access unless specific criteria are met, basically your own SSO authentication handler in front.