> ## Documentation Index
> Fetch the complete documentation index at: https://docs.explo.co/llms.txt
> Use this file to discover all available pages before exploring further.

# Generating a JWT

### Generate the Embed Secret

First, you must generate an embed secret. Go to the [Data Visibility Groups section](https://app.explo.co/settings/api-tokens) in the settings page,
create a new secret, and copy your secret's value and id. Then, you have two options:

### Use Explo's API to generate the JWT

For convenience, Explo exposes an endpoint you can use to generate a JWT for your customer/dashboard pair. You could hit this
endpoint when your customer loads the page and provide the JWT immediately to your embedded component.

See [here](/api-reference/customer-api/generate-jwt/) for docs on this endpoint

### Manually generate the JWT

You can also generate the JWT yourself. The specs of the JWT are as follows

Claims:

* cst: your customer id, the one you provided to Explo
* dsh: your embed id, taken from the Explo app
* exp: the desired expiration timestamp
* kid: the key id you're using to sign and encrypt the jwt
* alg: A256GCM
* rbc: read only report builder claims. Read more [here](/report-builder-features/read-only)
* des: disable editable section editing for dashboards that have them enabled
* iss: specifies the domain of the embed, making it so that the JWT is only valid from that origin. This is optional for increased security

```python theme={null}
# A python example:
from jose import jwe

jwt = jwe.encrypt(
  json.dumps(
      {
          "exp": (datetime.utcnow() + timedelta(hours=2)).timestamp(),
          "cst": "customer_1",
          "dsh": "abcdef",
          "iss": "https:your-website.com/" # note: the trailing '/' will be required
      }
  ),
  encryption="A256GCM",
  key=key_value,
  kid=key_id,
).decode("utf-8")
```

```javascript theme={null}
// A javascript example:
import * as jose from 'jose';

const enc = new TextEncoder();
const secret = enc.encode(key_value);

const jwt = new jose.EncryptJWT({
  cst: 'customer_1',
  dsh: 'abcdef',
})
  .setProtectedHeader({ alg: 'dir', enc: 'A256GCM', kid: key_id })
  .setIssuedAt()
  .setExpirationTime('2h')
  .encrypt(secret);
```
