JSON web token claims reference

When creating a secure embed, use these claims in the construction of the JWT to pass information in your embed URL.

🚧

JWT claims are specific to a user, not a session. Do not use user-specific claims (such as teams, account type, or user attribute values) to manage what a user in a given session can view in an embed. Instead, manage access on the user level. Each user must have their own account to access the embed with the correct access level and permissions. Use consistent claim values for the same embed user across different secure embeds.

Claim nameRequired?Claim descriptionType
subRequiredThe email address of the user logging in. Email addresses must be RFC-1035 compliant, and not include white space or unsupported characters, such as underscores.string
jtiRequiredJWT ID. A unique ID associated with the session.string
iatRequiredIssued at time, as number of seconds from epoch.number
expRequiredExpired at time, as number of seconds from epoch. Cannot exceed 30 days.number
algOptionalMust be HS256. Must be in the header, if included.string
kidRequiredThe embed client ID. Must be in the header.string
issOptionalThe issuer key. Enter the embed client ID.string
oauth_tokenOptionalCan only be used with ver: "1.1".

The OAuth token to use when using organization-level OAuth connections. This token must be encrypted with the embed secret.

See Sigma Node.js Embed SDK . This package provides information on how to encrypt your OAuth tokens so that they are compatible with the embed API.
string
connection_oauth_tokensOptionalCan only be used with ver: "1.1".

Keys are the desired connection IDs and values are encrypted OAuth tokens that the embed user will use to access data for that connection.

See Sigma Node.js Embed SDK . This package provides information on how to encrypt your OAuth tokens so that they are compatible with the embed API.
Record<string,string>
eval_connection_idOptional

The connection to use instead of the connection that the workbook is associated with.

Connection switching is not applicable when using write-back features.

You can use an ID returned from the list connections API or the connection listed in the URL. See Indentify unique IDs in Sigma for more information.

string
first_nameOptional, affects embed users only.First name for the embed user.string
last_nameOptional, affects embed users only.Last name for the embed user.string
user_attributesOptional, affects embed users only.User attributes for the embed user. Pass multiple attributes in this format: {"attribute1":"value1","attribute2":"value2"}.Record<string,string>
account_typeOptional, affects embed users only.Account type for the embed user. When you don't specify an account type, Sigma defaults to the highest account type when assigning values to embed users created through secure embeds.

Internal users accessing your embed use the account type assigned to them. Do not include an account_type claim for internal users.
string
teamsOptional, affects embed users only.Teams that the embed user is a part of. Pass multiple teams in this format:
["team1", "team2"]

Internal users accessing your embed use the teams that they are assigned to in Sigma. Do not include a teams claim for internal users.
string[]
verOptionalJWT version number. The only accepted values are "1.0" or "1.1". If nothing is provided "1.0" is assumed.string
audOptional for ver: "1.0", Required for ver: "1.1"The audience claim. Must be sigmacomputing if using ver: "1.1". Is ignored if using ver: "1.0"string