Create Signed Embed Url

Create Signed Embed URL

Creates a signed embed URL and cryptographically signs it with an embed secret. This signed URL can then be used to instantiate a Looker embed session in a PBL web application. Do not make any modifications to the returned URL - any change may invalidate the signature and cause the URL to fail to load a Looker embed session.

A signed embed URL can only be used once. After the URL has been used to request a page from the Looker server, it is invalid. Future requests using the same URL will fail. This is to prevent 'replay attacks'.

The target_url property must be a complete URL of a Looker UI page - scheme, hostname, path and query params. To load a dashboard with id 56 and with a filter of Date=1 years, the looker URL would look like https:/myname.looker.com/dashboards/56?Date=1%20years. The best way to obtain this target_url is to navigate to the desired Looker page in your web browser and use the "Get embed URL" menu option to copy it to your clipboard and paste it into the target_url property as a quoted string value in this API request.

Permissions for the embed user are defined by the groups in which the embed user is a member (group_ids property) and the lists of models and permissions assigned to the embed user. At a minimum, you must provide values for either the group_ids property, or both the models and permissions properties. These properties are additive; an embed user can be a member of certain groups AND be granted access to models and permissions.

The embed user's access is the union of permissions granted by the group_ids, models, and permissions properties.

This function does not strictly require all group_ids, user attribute names, or model names to exist at the moment the embed url is created. Unknown group_id, user attribute names or model names will be passed through to the output URL.

To diagnose potential problems with an SSO embed URL, you can copy the signed URL into the Embed URI Validator text box in <your looker instance>/admin/embed.

The secret_id parameter is optional. If specified, its value must be the id of an active secret defined in the Looker instance. if not specified, the URL will be signed using the most recent active signing secret. If there is no active secret for signing embed urls, a default secret will be created. This default secret is encrypted using HMAC/SHA-256.

The embed_domain parameter is optional. If specified and valid, the domain will be added to the embed domain allowlist if it is missing.

Security Note

Protect this signed URL as you would an access token or password credentials - do not write it to disk, do not pass it to a third party, and only pass it through a secure HTTPS encrypted transport.

Calls to this endpoint require Embedding to be enabled

Request

Response