CONCEPT Cited by 1 source

Signed embed URL

A signed embed URL is a short-lived, cryptographically-signed URL that carries the authorization context of one specific viewer. Loading the URL in an iframe (or fetching the resource it points to) is treated as an authenticated request — the URL itself is the capability.

Canonical shape:

https://<provider>/embed/<resource-id>
  ?user=<embed-user-arn>
  &filters=<row-level-security-context>
  &expires=<unix-ts>
  &signature=<hmac-or-equivalent>

The provider validates the signature, enforces expiry, and applies row-level-security filters keyed to the embedded user identifier — all before rendering the embedded resource.

Structural properties

• Per-viewer, per-request. Unlike a long-lived API key, the URL is minted once per dashboard load with the specific viewer's identity baked in. Forwarded URLs leak only that viewer's authorized view.
• Short TTL. URLs typically expire within minutes (QuickSight's GenerateEmbedUrlForRegisteredUser defaults to a session lifetime in the 10–15 minute range). Expiry caps the impact of URL leakage.
• Filter context embedded. Row-level-security parameters (tenant ID, organizational hierarchy, product line) are part of the signed payload. The provider refuses to render rows outside the embedded filter.
• Identity translation at mint time. The host application's identity system (session token, JWT, SAML assertion) is validated by the minting backend, and the relevant claims are mapped to the embedded-user ARN + filter context before signing. The host app's identity model never leaks to the provider.

Canonical implementations

• QuickSight GenerateEmbedUrlForRegisteredUser — Lambda or other backend calls this API after validating the host app's session token; returns a time-limited signed URL bound to a registered QuickSight user and per-user filters.
• AWS Presigned S3 URLs — same idea at the storage layer: signed URL carries the permission to GET/PUT a specific object within a TTL.
• Looker Embed URLs — signed URLs with user ID + filters + permission set, similar shape.
• Stripe Checkout Session URLs — host app creates a session server-side; client loads the session URL; the URL is the capability.

Why the capability model fits embedded analytics

The embed URL is the fulcrum of patterns/signed-embed-url-with-role-mapping: the host app converts its own session context into a BI provider's capability URL, so the iframe load is already authorized. The provider doesn't need to understand the host app's identity model; the host app doesn't need to delegate credentials to the provider.

Seen in

• sources/2026-04-21-aws-oldcastle-infor-aurora-quicksight-real-time-analytics — canonical wiki instance. Oldcastle's Lambda layer calls GenerateEmbedUrlForRegisteredUser to mint per-viewer signed embed URLs enforcing row-level security and role-mapped permissions, embedded in iframes inside Infor OS.

Related

• systems/amazon-quicksight
• concepts/row-level-security
• concepts/embedded-analytics
• concepts/token-vault
• patterns/signed-embed-url-with-role-mapping