Embedding Security

Organization Secret

Your organization secret is used during the JWT generation to secure the JWT from tampering using the HMAC256 signature mechanism. The secret is unique for your organization and needs to be kept secret to assure that embedding requests cannot be tampered with or spoofed. The organization secret can be viewed by organization owners by navigating to Settings > Embedding. It can also be reset from this page if it is ever leaked.

Sensitive Data

The payload, though obscured via the JWT base64 encoding, is not cryptographically secure. While payload data cannot be tampered with without access to the organization secret, sensitive data (e.g. SSNs) should not be included in the payload.

Revoking End User Access

To revoke end user access to embedded dashboards at any time, reset your organization secret. To do this, visit the embedding settings page and click the Reset Secret button. Please note, this will immediately invalidate embedding requests encoded with the old secret for all dashboards across your entire organization.

JWT Expiration

By default, we expire JWTs at 24 hours from the iat (issued at) value. Your third party JWT library may generate the iat value for you or require you to include it in your payload. You can lower the expiration time using the exp JWT value however we will always cap the upper bound at 24 hours. The reason for this is we are trying to limit the downside of an end user looking at your HTML source in the browser and distributing the iframe src url outside of your application. At most they could only get away with this for 24 hours.