Skip to main content
When you embed a Superblocks app into your website, you have several options for authentication:
  • Public: anyone can view your app, no login required
  • Private: users log in to Superblocks directly and must have apps:view permission to the application
  • SSO: use your application’s existing login flow so users only have to log in once to access the embedded Superblocks app
Public and Private embeds have no added set up. Follow instructions below to configure SSO.

SSO authentication flow

With SSO embedding, users access your embedded app without needing a separate Superblocks login. Instead, you’ll log users in with your app’s existing auth and issue them a Superblocks session token for embedded auth. Using the Superblocks session token, your user’s identity, level of access, and metadata are securely transmitted to Superblocks so they can’t be modified by users client-side. The following diagram illustrates the authentication flow for SSO embed users:
Sequence diagram showing how to request a session token for an embedded user

Set up embedded SSO

Use the following instructions to have your application authenticate users with Superblocks.

Step 1. Generate an access token

To get Superblocks session tokens for your embed users, you’ll need to create an Embed access token. Follow the instructions below to create an access token, or learn more about Access tokens.
  1. Click your avatar in the upper-left corner of the home page and click Organization Settings
    Menu for switching to settings menus
  2. In the left sidebar, click Access Tokens
  3. Click +Create token
  4. In the Name field give your token a descriptive name
  5. Select an Expiration date, or use the default 90 day expiration.
  6. Select Embed as the token type Interface for creating an embed access token
  7. Click Create

Step 2. Add token endpoint to your web-server

Add an endpoint to your web-server that requests user session tokens from Superblocks. You can add this as a new endpoint, or to your existing authentication flow.
server.js
Make sure to replace the payload with information for the currently authenticated user.

Step 3. Request token client-side

Add code to your web application to request a session token from the token endpoint you just added to your application’s web server.
src/utils.tsx

Step 4. Pass the token to your embed

src/views/embed_page.tsx

Manage user access

Embed users must have the apps:view permission to the Superblocks app they’re trying to access. Grant users access by associating them with a Group with the necessary access level. To associate an embed user with a group:
  1. Click your avatar in the upper-left corner of the home page
  2. In the menu, click Organization Settings
  3. In the left sidebar, click Groups
  4. Either select + Add group or click into an existing group
  5. On the Permissions tab, enable View access for apps you want the user(s) to have access to Cash App Customer user group with view access to "Credit Card Application Processing" tool
  6. Go back to the Groups page and copy the group’s ID by selecting Copy group ID Groups page with options menu open showing option to copy the group's ID
  7. Update your server endpoint by adding a list of groupIds you want users to be associated with
Embed users aren’t permanent members of groups and won’t show up on the Members tab of groups. They are associated with the group for permissions purposes for the duration of the token’s session.

Customize user metadata

User metadata lets you attach additional information to a user beyond the standard attributes. This can be useful for storing extra data relevant to your application or business logic. To customize user metadata, include a metadata field in your request payload with JSON representing the metadata you want to add. For example:
Metadata is associated with the user’s current session and encoded in the session JWT as custom claims. This ensures that the metadata cannot be modified client-side, providing an additional layer of protection against unauthorized tampering. You can prompt Clark to build any conditional logic based on this user metadata. For example, display, hide, or disable a certain component based on an isAdmin metadata attribute Under the hood, Clark leverages the useSuperblocksUser() function to get the logged in user and check their metadata. Here is the code generated from the prompt above.
index.tsx
If you prefer to edit and review this logic directly, see developing apps in code.

Token API specification

POST /api/v1/public/token

Use this endpoint to request a session token for an embedded user. Request parameters application/json
Response Sample