Embed Token Generation

To embed a Bold BI dashboard securely in your application, you must generate an embed token. In v13.1, the token is requested by building a signed query string and calling the authorize endpoint via GET API call.

The following diagram illustrates the token generation flow:

Token Generation v13 diagram

Node

/*
  Example: Embed Token Generation (Node.js)
  Requires: express, crypto, https, http
  Install express: npm install express
*/

const express = require('express');
const crypto = require('crypto');
const https = require('https');
const http = require('http');

const app = express();

app.post('/tokenGeneration', function (req, res) {
  // Required details
  const serverUrl = "<Bold BI Server URL>";
  const siteIdentifier = "<Site Identifier>";
  const serverApiUrl = serverUrl + "/api/" + siteIdentifier;
  const dashboardId = "<Dashboard Id>";
  const userEmail = "<User Email>";
  const embedSecret = "<Embed Secret Key>";

  // Build query string
  let queryString = "embed_nonce=" + crypto.randomUUID();
  queryString += "&embed_dashboard_id=" + dashboardId;
  queryString += "&embed_user_email=" + userEmail;

  // Sign query string
  const embedSignature = "&embed_signature=" + getSignatureUrl(queryString, embedSecret);
  const embedDetailsUrl = "/embed/authorize?" + queryString + embedSignature;

  // Request token from Bold BI server
  const serverProtocol = new URL(serverApiUrl).protocol === 'https:' ? https : http;
  serverProtocol.get(serverApiUrl + embedDetailsUrl, function (resultContent) {
    let str = '';
    resultContent.on('data', chunk => { str += chunk; });
    resultContent.on('end', function () {
      const resultJson = JSON.parse(str);
      if (resultJson?.ApiStatus && resultJson.Data?.access_token) {
        res.json({ access_token: resultJson.Data.access_token });
      } else {
        res.status(500).json({ error: "Failed to generate embed token" });
      }
    });
  });
});

// Helper function: Sign query string using embedSecret
function getSignatureUrl(queryString, embedSecret) {
  const hmac = crypto.createHmac('sha256', Buffer.from(embedSecret));
  return hmac.update(queryString).digest('base64');
}

Note: You can reuse the Embed Token generated for dashboard embedding case. Due to a current limitation, Embed Tokens are generated using a dashboardId but are not dashboard-specific; they are user-specific. This limitation will be addressed in a future release.

The following mandatory values must be configured in your backend application to generate an embed token.

Parameter	Description
`serverUrl`	Base URL of your Bold BI application (e.g., `https://your-company.boldbi.com/bi`).
`siteIdentifier`	Unique site/tenant identifier in Bold BI (e.g., site/tenant)
`dashboardId`	Unique ID of the dashboard How To get: Open the dashboard in BI application and copy the ID from the browser's URL.
`userEmail`	Email of the user viewing the dashboard. The user must exist in Bold BI and have permission to access it.
`embedSecret`	Secret key used to sign authorization requests. How To get: Retrieve this from the Bold BI settings page.

Important: Never expose embedSecret to the client. Generate tokens only on your backend and return access_token to the browser.

Please provide additional information

Thank you for your feedback and comments.We will rectify this as soon as possible!