Generate embed client credentials

Client credentials (a unique client ID and embed secret) are crucial to creating secure embeds. The embed secret is encoded within the secure embed URL for additional validation that ensures the embed's authenticity and security.

This document explains how to generate the embed client credentials in Sigma.

System and user requirements

The ability to generate embed client credentials requires the following:

• Secure embedding must be enabled for your organization. If the feature is disabled, contact Support or reach out to your Account Executive.
• You must be assigned the Admin account type.

Understanding the embed credentials

Sigma uses the client ID to determine which embed secret is referenced in a request. Each time a request is made, the server-side embed API uses the embed secret to generate an encrypted signature.

Together, the client ID and embed secret create a robust security framework for server-side interactions with Sigma.

• Authentication: The credentials authenticate your server and verify its identity to Sigma, confirming it as a recognized and authorized entity with valid access rights.

• Authorization: Based on the authentication, Sigma can control access to its resources and only allow requests from authorized entities to process further.

• Data integrity and non-repudiation: The embed secret's encrypted signature enhances trust by ensuring the request data remains unaltered.

• Confidentiality: Use of the credentials in server-side API interactions secures sensitive data and operations by maintaining confidentiality and providing protection against unauthorized access or manipulation.

🚧

For security purposes, Sigma provides a one-time view of the embed secret at the time creation and does not display it again. Because the secret is non-retrievable, it's important that you store the secret securely when you create it.

If you lose the embed secret, or it becomes compromised, you can revoke it and generate a new one; however, this invalidates the previous secret and all embeds that use it. When a new secret is generated, you must modify the embed API and update all existing embeds.

Generate embed client credentials

1. Go to Administration > Developer Access:

   1. In the Sigma header, click your user avatar to open the user menu.

   2. Select Administration to open the Administration portal.

   3. In the side panel, select Developer Access.

2. Click Create New to set up new credentials.

   

3. In the Create client credentials modal, complete the form fields:

   1. In the Select privileges section, select the Embedding checkbox.

   2. In the Name field, enter a unique name to identify the credentials.

   3. [optional] In the Description field, enter a description about the purpose of the credentials.

   4. In the Owner field, select an organization member. The embed secret uses the account type permissions associated with this user.

   5. Click Create to generate the credentials.

   

4. In the Secure Embedding Credentials modal, copy the embed secret and securely store it for future reference (you cannot retrieve it in Sigma later).

   You can also copy and securely store the client ID from the modal, but this information can be retrieved from the Developer Access page at any time.

   

Revoke existing embed client credentials

If you lose the embed secret, or it becomes compromised, you can revoke it and generate a new one.

1. Go to Administration > Developer Access:

   1. In the Sigma header, click your user avatar to open the user menu.

   2. Select Administration to open the Administration portal.

   3. In the side panel, select Developer Access.

2. In the list of credentials, locate the one you want to regenerate, then click More and select Revoke.

3. Complete the steps in Generate embed client credentials to generate new credentials.

4. Update any applications using the embed API containing the revoked credentials.