JSON web token claims reference

When creating a secure embed, use these claims in the construction of the JWT to pass information in your embed URL.

🚧

JWT claims are specific to a user, not a session. Do not use user-specific claims (such as teams, account type, or user attribute values) to manage what a user in a given session can view in an embed. Instead, manage access on the user level. Each user must have their own account to access the embed with the correct access level and permissions. Use consistent claim values for the same embed user across different secure embeds.

Refer to the following table of claims:

Claim name

Required?

Claim description

Type

sub

Required

The email address of the user logging in. Email addresses must be RFC-1035 compliant, and not include white space or unsupported characters, such as underscores.

string

jti

Required

JWT ID. A unique ID associated with the session.

string

iat

Required

Issued at time, as number of seconds from epoch.

number

exp

Required

Expired at time, as number of seconds from epoch. Cannot exceed 30 days.

number

alg

Optional

Must be HS256. Must be in the header, if included.

string

kid

Required

The embed client ID. Must be in the header.

string

iss

Optional

The issuer key. Enter the embed client ID.

string

oauth_token

Optional

Can only be used with ver: "1.1".

The OAuth token to use when using organization-level OAuth connections. This token must be encrypted with the embed secret.

See Sigma Node.js Embed SDK . This package provides information on how to encrypt your OAuth tokens so that they are compatible with the embed API.

string

connection_oauth_tokens

Optional

Can only be used with ver: "1.1".

Keys are the desired connection IDs and values are encrypted OAuth tokens that the embed user will use to access data for that connection.

See Sigma Node.js Embed SDK . This package provides information on how to encrypt your OAuth tokens so that they are compatible with the embed API.

Record<string,string>

eval_connection_id

Optional

The connection to use instead of the connection that the workbook is associated with.

Connection switching is not applicable when using write-back features.

You can use an ID returned from the list connections API or the connection listed in the URL. See Indentify unique IDs in Sigma for more information.

string

first_name

Optional, affects embed users only.

First name for the embed user.

string

last_name

Optional, affects embed users only.

Last name for the embed user.

string

user_attributes

Optional, affects embed users only.

User attributes for the embed user. Pass multiple attributes in this format: {"attribute1":"value1","attribute2":"value2"}.

Record<string,string>

account_type

Optional, affects embed users only.

Account type for the embed user. When you don't specify an account type, Sigma defaults to the highest account type when assigning values to embed users created through secure embeds.

Internal users accessing your embed use the account type assigned to them. Do not include an account_type claim for internal users.

string

teams

Optional, affects embed users only.

Teams that the embed user is a part of. Pass multiple teams in this format:
["team1", "team2"]

Internal users accessing your embed use the teams that they are assigned to in Sigma. Do not include a teams claim for internal users.

string[]

ver

Optional

JWT version number. The only accepted values are "1.0" or "1.1". If nothing is provided "1.0" is assumed.

string

aud

Optional for ver: "1.0", Required for ver: "1.1"

The audience claim. Must be sigmacomputing if using ver: "1.1". Is ignored if using ver: "1.0"

string