Create Authorization

LLM-friendly URL
POST
https://api.luzmo.com/0.1.0/authorization
API call form
Examples

Authorizations are key-token pairs that grant access to the Luzmo platform and/or Luzmo resources. The most common use-case is to create an API key-token pair in our UI, and use that in your application to create short-living Embed Authorization key-token pairs via our API. Embed tokens can be used for your application's users to access specific Luzmo datasets and embedded dashboards.

Types of Authorization tokens

There are 3 types of tokens that you can create programmatically and/or manually:

  1. Login tokens
    These tokens are created when you manually authenticate to the platform. Via the API you will only come into contact with them when you create a new user programmatically. The response of creating a new user via API will contain a login key-token pair; this login token can be used to create an Authorization token of type api .

    • Programmatic: the only way to create a new login token is to create a new user .

    • Manual: authenticate (log in) to the platform.

  2. API tokens
    API tokens can be used to programmatically perform API actions on Luzmo resources (e.g. creating Embed Authorization tokens, updating entities, pushing new data points, etc.).

    • Programmatic: use an active Login Authorization token to create an Authorization token of type api .

    • Manual: in your Luzmo profile, you can create new API key-token pairs, as well as see your existing API keys. You can also invalidate them in this page, similar to deleting an Authorization token via API.

  3. Embed tokens
    Embed Authorizations can be used to temporarily delegate access to one or more datasets and dashboards to e.g. an end-user within your own platform. They can only be created with an active API Authorization key-token pair from an Organization owner user.
    Embed tokens can have access restrictions to limit which securables can be accessed (via Collections, as well as directly to one or more dashboards and/or datasets), which data filters are automatically applied to all queries, ...
    Embed tokens are implicitly associated with a bootstrapped Luzmo user based on the username property in the "create" request. Luzmo will use this to manage user-generated content and track Monthly Active Views (MAVs) & Designers (MADs).

    • Programmatic: use an active API Authorization token from an "Organization owner" user to create an Authorization token of type embed .

    • Manual: you cannot create embed tokens via the UI.

Tokens can be created in a cascaded way as described above ("login" → "api" → "embed"), but are always ultimately tied to a single User. In case of a Login or API Authorization, that is the user that initially created the Authorization token. In case of an Authorization token with type embed , the token is implicitly associated with its bootstrapped User (see above).

Access rights for Embed tokens

Authorization tokens of type embed are typically used to provide users in your platform access to one or more Luzmo securables (i.e. datasets and/or dashboards). Such access is most commonly provided via the access property in the Authorization request, but can also be achieved by associating a Securable with the bootstrapped User or (suborganization) Group. The following rules apply to access rights ( read , use , modify , own ) to dashboards and/or datasets:

  • Access provided within the access property of the Authorization request:

    • Within Collections via the collections property: the highest level of inherited access is given to a securable amongst all Collections, in case that securable is accessible through multiple Collections.

      • E.g. If two collections both provide inherited access to a securable, but one provides access rights "use" while the other provides "modify" access rights, the token will inherit "modify" access for that securable.

    • In case a securable is accessible through both a Collection and directly via the datasets or dashboards property, the direct access rights will override the inherited access rights.

      • E.g. If the token has inherited "use" access to a dataset via a Collection, but receives "modify" access to the same dataset via the datasets property, the token will have "modify" access to that dataset.

  • Only the highest access rights given via the access property (see previous bullet point), and through its bootstrapped User and any Group(s) they are a member of, will be taken into account.

    • E.g.:

      • If the token's access property specifies "use" access to a dataset, but the token's bootstrapped User has received "modify" access to that dataset, the token will effectively have "modify" access.

      • If a user's group has "modify" access to a dashboard while the user itself has "use" access to that dashboard, the embed token will effectively have "modify" access to that dashboard due to its group having such access.

For embed tokens, the simplest access management to dashboards and datasets happens via Collections and the collections array inside the access property of the Authorization request. This way you can easily manage access rights for a token to multiple securables at once. If you need to provide/override access rights to specific securables (e.g. customer-specific dashboards that are not in a Collection), you can do so via the datasets or dashboards property of the Authorization request.

Merging of data filters for Embed tokens

When an Authorization token of type embed queries a dataset (e.g. via an embedded dashboard), filters from different origins will be applied. The following three sets of filters are merged together using "AND" relations when Embed tokens query a dataset:

  • Filters that are always applied:

    • Filters specified via the filters property of Authorization token.

    • All interactivity filters from dashboard items (e.g. selection in a column chart, date range selection, etc.).

  • Filters that are always applied, unless it's a parameterized filter that is cleared via the parameter_overrides property in the Authorization request:

    • Embed filters on datasets are always applied, unless parameterized and explicitly cleared.

    • Dashboard & chart filters are always applied, unless parameterized and explicitly cleared.

  • Filters that are applied in the following priority (if the user has access to a dataset via User and/or Group access ): User-specific filters (if available), then Group filters (if user-specific filters are not set), and finally Public group filters (if neither user-specific nor group filters are set). E.g.:

    • If filter(s) are specified on an associated group that the user is part of, as well as on the direct association to the user itself, only the filter(s) specified on the user's association will be applied.

    • If filter(s) are specified on multiple associated groups of which the user is member of, and no filters are specified on the user's access itself, the filter(s) of the different group-securable associations will be merged together using "AND" relations.

Below you can find the specific properties that can be set when creating an Authorization token.

Request parametersResponse schema
id UUID

The unique identifier of the entity

user_id UUID

The ID of the Luzmo user associated with this authorization token. For embed tokens, this is the bootstrapped user based on the username property.

type STRING

Type of Authorization token to create. Possible types created by an API token are:

  • embed : create a temporary embed token for an end-user.

  • sso : (deprecated in favor of type embed ) create a temporary single sign-on token for an end-user.

Other token types:

  • login : a token created when manually authenticating using your user credentials

  • api : API token for programmatic access to Luzmo resources. Can be created only through a login token

environment STRING

Used to control which dashboard version is shown. Valid options are: null , production , acceptance , development , qa . If explicitly set to null , the latest dashboard version will always be shown when embedding with this token. If not specified or set to "production" , it will show the published production version, or the latest version if it doesn't exist. If set to development , acceptance or qa , it will show the corresponding published version, or the latest version if it doesn't exist.

Default value:production
expiry DATETIME

RFC3339 timestamp when this authorization will cease working. Defaults to 24 hours from creation default, with a maximum of 1 year.

This is the hard (maximum) expiry time of the token, after which it will always be invalid. We advise using short expiry time, eg. 24 hours from now.

Upon expiry of the token, the authorizationExpired event will be emitted.

Default value:< 24 hours from creation >
inactivity_interval NUMBER

Duration of inactivity (in seconds) after which the token is prematurely invalidated . Defaults to 0 . You can use this to prematurely invalidate tokens when the user session in your application has ended (eg. all open dashboards are closed).

A value of 0 means no premature invalidation due to inactivity (the token will only expire on the datetime specified in the expiry property of the Authorization request). For non-zero values the minimum is 120 seconds, this is to avoid accidental invalidation for a dashboard that is still open, eg. when a heartbeat signal sent to the server is missed.

Upon expiry of the token, the authorizationExpired event will be emitted.

Default value:0
last_used_at DATETIME

RFC3339 timestamp of when the authorization token was last used.

created_at DATETIME

RFC3339 timestamp of when the authorization token was created.

updated_at DATETIME

RFC3339 timestamp of when the authorization token was last updated.

deleted_at DATETIME

RFC3339 timestamp of when the authorization token was deleted, or null if it has not been deleted.

username STRING

Viewer metadata: The username of the end-user. Identifies the user uniquely and immutably. This should correspond to eg. the primary key for the user on your end. If it changes, the user will not have access to their previously created content anymore. Don't use e.g. an e-mail address if those can change in your platform!

This will be used to uniquely identify a Monthly Active Viewer (MAV) or Monthly Active Designer (MAD) for your Organization. If not used in a fair manner, functional session cookies will be used to distinguish monthly active users.

Please note that the only special characters that are allowed in the username are: . & _ - + @ ' ( ) and ! .

name STRING

Viewer metadata: name of the end-user. This will be used in the Luzmo UI (e.g. in the tour in the embedded editor).
Note that only the following special characters are allowed: . & _ - + @ ' ( ) and ! .

email EMAIL

Viewer metadata: email address of the end-user. This will be used in the Luzmo UI (e.g. prefilled into the Alert Email channel modal).
Note that this must be a valid email address format, e.g. example@domain.com .

suborganization STRING

Each embed token should be in a suborganization. The suborganization determines which other users they can see & interact with. it defaults to username to have total isolation, set to null if you want all users to see each other.

Default value:<username>
role STRING

The role of the user for who you are making the authorization request. This will influence which actions Luzmo will allow or deny (e.g. a "viewer" role is not allowed to switch to edit mode).

  • viewer : only able to view and interact with one or more dashboards or variants.

  • designer : able to view, interact, edit, and create one or more dashboards, variants, and duplicates.

  • owner : able to view, interact, edit, and create one or more dashboards, variants, and duplicates. Next to that, "owner" tokens can favorite dashboard variants for other embed users within their suborganization.

Default value:viewer
access OBJECT

Specifies which datasets and dashboards the token should have access to, either through one or more Collections or directly to the specified datasets and/or dashboards. You must provide access to at least one resource.

  • In the introduction paragraph on top (under "Access rights for Embed tokens" ), you can find more information about how access rights are applied when a Securable is accessible via multiple resources.

  • Don't forget to also provide access to each dashboards' underlying dataset(s) to avoid 'No access' errors!

collections ARRAY[OBJECT]
datasets ARRAY[OBJECT]
dashboards ARRAY[OBJECT]
filters ARRAY[OBJECT]

List of data filters to apply when data queries are performed with this authorization. See "Merging of data filters for Embed tokens" at the start of Create Authorization for more information about filtering behaviour when Embed tokens query data.

  • This can be used with multi-tenanted datasets to ensure end-clients can only access their own data. Note that the use of parameter filters (see Authorization property parameter_overrides ) is usually a better approach, however.

  • You can also use the filters property to specify initialization filters on one or more dashboard items. These filters will be applied as a pre-selection when the dashboard item is loaded, but can be modified by the end-user in the respective dashboard item.

clause STRING
origin STRING
securable_id UUID
column_id UUID
level NUMBER
chart_id UUID
aggregation OBJECT
expression STRING
value NUMBER | STRING | BOOLEAN | ARRAY
hidden_columns ARRAY[STRING]

List of dataset column ids to be hidden in an embedded dashboard. This will hide the columns from the end-user in e.g. the embedded editor, but they can still be queried from existing dashboard items.

Column ID UUID
theme OBJECT

Optional JSON definition of a theme to apply to the dashboard. See this Academy article for more information.

css STRING

Optional CSS override to apply to the dashboard. The CSS gets appended to the existing CSS overrides in the dashboard. An example can be seen in this Academy article .

metadata OBJECT

Use the metadata property to specify optional Viewer metadata. This must be a valid JSON object with a maximum length of 200k characters.

For Authorization tokens with deprecated type 'sso', you can also use the metadata property to override parameter values of parameterized filters.

  • To clear parameterized filter(s) completely (i.e. not apply them), override its value to: {"< parameter name >": {"clear": true}}

  • To mark sensitive parameters that should not be logged, like JWT or authentication tokens, store it as an object with the sensitive property set: {"< parameter name >": {"sensitive": true, "value": "..."}}

  • To mark a parameter as sticky to make sure its value is always used in future scheduled exports and alerts created by this token, rather than an updated value from a newer token for the same username, set: {"< parameter name >": {"sticky": true, "value": "..."}}}

currency_id STRING

Overrides the displayed currency symbol on the dashboards, for all currency columns. Expects a currency_id in the form of an ISO 4217 currency code, for example: EUR or USD.

parameter_overrides OBJECT

Use this property to override parameter values of a parameterized filter(s). This must be a valid JSON object with a maximum length of 200k characters. This is commonly used for multi-tenancy filtering, see here . See intro on top (under "Merging of data filters for Embed tokens" ) for more information about filtering behaviour when Embed tokens query data.

  • To clear parameterized filter(s) completely (i.e. not apply them), override its value to: {"< parameter name >": {"clear": true}}

  • To mark sensitive parameters that should not be logged, like JWT or authentication tokens, store it as an object with the sensitive property set: {"< parameter name >": {"sensitive": true, "value": "..."}}

  • To mark a parameter as sticky to make sure its value is always used in future scheduled exports and alerts created by this token, rather than an updated value from a newer token for the same username, set: {"< parameter name >": {"sticky": true, "value": "..."}}}

This property is only available for Authorization of type 'embed', for Authorization tokens with deprecated type 'sso', you should use the metadata property.

feature_overrides ARRAY[STRING]

Enable/disable certain features for the Embed user. See this Academy article for a list of all available feature flags.

Feature flag STRING
description STRING

Optional description of the authorization token. Commonly used to identify API tokens, for example: Token for my production app .

ip ARRAY[STRING]

List of IP addresses or subnets. Leave empty to disable IP whitelisting (default behavior).
Eg.: ["123.45.67.89", "123.45.66.0/4", "2001:db8:0:1:1:1:1:1"]

IP address / subnet STRING
iq OBJECT

Extra properties to customize interactions with Luzmo IQ.

context STRING
Can be executed by:
Logged-in User
Can be associated to:
Locale
User
Dissociate Alert
Search Authorization
Did this page help you?
Yes No
Language
Shell
Node
Java
.NET
Python
PHP
Install
dotnet add package LuzmoSDK --version 1.0.3
Example Request 
import Luzmo from '@luzmo/nodejs-sdk';
const client = new Luzmo({
  api_key: '<your Luzmo API key>',
  api_token: '<your Luzmo API token>',
  host: 'https://api.luzmo.com'
});


const response = await client.create('authorization',
  {
    type: "embed",
    username: "<A unique and immutable identifier for your user>",
    name: "<username>",
    email: "<user_email>",
    suborganization: "<a suborganization name>",
    access: {
      collections: [
        {
          id: "<collection_id>",
          inheritRights: "use"
        }
      ],
      datasets: [
        {
          id: "<dataset_id>",
          rights: "use"
        }
      ],
      dashboards: [
        {
          id: "<dashboard_id>",
          rights: "use"
        }
      ]
    }
  }
);
You are not authenticated.
Log in to try
Example Response
200
400
500
{
  "id": "c6dcefe7-a0f8-4837-9050-ba4617691a28",
  "token": "HXlTLT4mj8Ajmw5QMegcloMps3d1zxopoa1caC8r2nFBdvpm3POURhvRYX6jSariWAWmet7YURSyzjK1KhUn8UZ4ItdlgzlNCklqX2LNiZ5dVL8S1MozHpWzQ0ILS0qkLhb5e20YmxAc2HOFJmOgbg",
  "user_id": "477086f8-2ad2-4e5f-8aaf-de209f69b9bb",
  "type": "embed",
  "environment": "production",
  "expiry": "2024-12-31T00:00:00.000Z",
  "inactivity_interval": null,
  "last_used_at": "2024-08-13T08:29:30.000Z",
  "created_at": "2024-08-13T08:29:30.099Z",
  "updated_at": "2024-08-13T08:29:30.099Z",
  "deleted_at": null,
  "username": "<A unique and immutable identifier for your user>",
  "name": "<username>",
  "email": "<user_email>",
  "suborganization": "<a suborganization name>",
  "role": "viewer",
  "access": {
    "datasets": [
      {
        "id": "<dataset_id>",
        "rights": "use"
      }
    ],
    "dashboards": [
      {
        "id": "<dashboard_id>",
        "rights": "use"
      }
    ]
  },
  "hidden_columns": [],
  "filters": null,
  "theme": null,
  "css": null,
  "currency_id": null,
  "metadata": null,
  "parameter_overrides": null,
  "feature_overrides": null,
  "description": null,
  "ip": null,
  "iq": {
    "context": "<Luzmo IQ context prompt>"
  }
}