Embedding Dashboards in Client Portals — A Security Deep Dive

Giving customers a live dashboard inside your product sounds straightforward until you think through the security implications. Who can see what? How do you prevent one customer seeing another's data? What happens when a token is compromised? This post covers the full security model behind Orvixo's embed system.

The threat model

When you embed a dashboard, you're giving someone — possibly an unauthenticated end user — a way to query your database. The things that can go wrong:

• A customer sees another customer's data (data isolation failure)
• An expired or revoked token continues working
• A user manually modifies query parameters to access data they shouldn't
• A token leaks (e.g. logged to a browser console or captured in transit)

Signed tokens with row-level filters

Every embed token is a JWT signed with HMAC-SHA256 using a secret key that lives only on Orvixo's servers. The token payload carries:

{
  "dashboard_id": "dsh_2cK8mLvNp4",
  "org_id": "org_7xBn2mKqLw",
  "row_filter": { "client_id": "clt_394kLpRz" },
  "expires_at": 1745000000,
  "issued_at": 1744996400,
  "jti": "emb_a2f9c4e1..."
}

The row_filter object is the critical piece. Before every query on an embedded dashboard executes, Orvixo appends the filter as a mandatory WHERE clause. If a token carries client_id: 'clt_394', every single query on every chart in that dashboard will have WHERE client_id = 'clt_394'injected server-side, regardless of what the chart's original query says.

Token expiry and rotation

Tokens expire. The default is one hour, but you can set any value from 5 minutes to 30 days depending on your use case. For a customer-facing portal where users stay logged in, a 24-hour rolling token is common. For a public-facing embed on a marketing site, a 30-day token with manual rotation is usually fine.

Token revocation is immediate — calling the revoke endpoint marks the JTI as invalid in our token store and any subsequent request using that token gets a 401, regardless of the expiry timestamp. This is the most important thing to implement before going to production: make sure your application can revoke a token programmatically, and test that it actually stops working within a few seconds.

Transport and storage

All embed URLs use HTTPS with HSTS. The token appears in the URL query string, which means it can appear in server access logs and browser history. For sensitive embeds, use the JavaScript SDK instead — it accepts the token via a JS variable, which keeps it out of the URL entirely and prevents it from being cached by CDNs or logged at the edge.

On the dashboard iframe, Orvixo sets a tight Content-Security-Policy that disallows embedding in any origin except those you explicitly allowlist in your organisation settings.