Generate the Embed Secret

First, you must generate an embed secret. Go to the Data Visibility Groups section in the settings page, create a new secret, and copy your secret’s value and id. Then, you have two options:

Use Explo’s API to generate the JWT

For convenience, Explo exposes an endpoint you can use to generate a JWT for your customer/dashboard pair. You could hit this endpoint when your customer loads the page and provide the JWT immediately to your embedded component.

See here for docs on this endpoint

Manually generate the JWT

You can also generate the JWT yourself. The specs of the JWT are as follows

Claims:

  • cst: your customer id, the one you provided to Explo
  • dsh: your embed id, taken from the Explo app
  • exp: the desired expiration timestamp
  • kid: the key id you’re using to sign and encrypt the jwt
  • alg: A256GCM
  • rbc: read only report builder claims. Read more here
  • des: disable editable section editing for dashboards that have them enabled
  • iss: specifies the domain of the embed, making it so that the JWT is only valid from that origin. This is optional for increased security
# A python example:
from jose import jwe

jwt = jwe.encrypt(
  json.dumps(
      {
          "exp": (datetime.utcnow() + timedelta(hours=2)).timestamp(),
          "cst": "customer_1",
          "dsh": "abcdef",
          "iss": "https:your-website.com/" # note: the trailing '/' will be required
      }
  ),
  encryption="A256GCM",
  key=key_value,
  kid=key_id,
).decode("utf-8")

// A javascript example:
import * as jose from 'jose';

const enc = new TextEncoder();
const secret = enc.encode(key_value);

const jwt = new jose.EncryptJWT({
  cst: 'customer_1',
  dsh: 'abcdef',
})
  .setProtectedHeader({ alg: 'dir', enc: 'A256GCM', kid: key_id })
  .setIssuedAt()
  .setExpirationTime('2h')
  .encrypt(secret);