Using user metadata in SQL
Embedding apps within your platform provides a seamless user experience, but ensuring privacy and data security is always top of mind. By passing user metadata from the Embedded App, you can tailor the experience so that users only access their own data or data relevant to their organization. This guide walks through how to set up an Embedded App which has external customers accessing data.
Prerequisites
To follow this guide you'll need to
- Set up an Embedded App on your website
- Set up SSO for your embedded app so external users can access your app
Filter data based on user's metadata
Step 1. Add custom user metadata to your user's session
Start by updating your server to send the metadata
you want associated with your user.
For example, if we want to filter data based on the organization an embed user is associated with, we'd add externalOrgId
to the metadata call so that the user's org ID will be added as claim to the user's JWT.
Step 2. Update your queries to filter based on metadata
Add filters to your Backend API steps to filter using user metadata. For example, if you're writing a SQL query, it may look like:
SELECT *
FROM table_name
WHERE organization_id = {{ Global.user.metadata.externalOrgId }}
The metadata will not be available for an existing user's session until the JWT is reissued. In this case, the above SQL query will fail due to the Global object not having the field available in the metadata object yet. Be sure to handle this case before making updates to applications.
Step 3. Test, commit, and deploy your app
Test your app. When you're ready to expose the data to the host app, commit & deploy your app.
Your API will now only return data for the currently logged in user's organization. Use this approach to filter on other metadata like user IDs, group membership, custom roles a user has in your system, and more.
User metadata vs embed properties
Embed properties and user metadata can be used interchangeably to send data to your embedded app about a user. We recommend using metadata when:
- The data is used to logically isolate different customer/user data
- The property is unlikely to change during your user's current session
- You want to set the property once at login and re-use it across different embedded views
Since user metadata is encoded in your user's JWT, users cannot modify the data without invaliding the JWT. JWTs are validated by Superblocks anytime they are used to load applications and run APIs, ensuring a malicious user cannot gain access to data you don't want them to.