ThoughtSpot recommends that you browse through the following guidelines before embedding ThoughtSpot in your application.
Define application workflows🔗
In addition to the Visual Embed SDK, ThoughtSpot provides REST APIs to query data from the ThoughtSpot application. For example, you can construct a search Answer using the data APIs and use this link to embed search answers with your application.
Irrespective of the method you use for embedding, make sure you define your application workflows and authentication criteria to enable seamless navigation between the host and embedded interfaces.
Determine the hosting domain🔗
When you embed ThoughtSpot into your app, the application URL will be set as
<your-company-name>.thoughtspot.cloud by default. Most web browsers, including Safari and Firefox, block third-party cookies by default. To ensure that embedding works on browsers that don’t allow third-party cookies and cross-domain requests, you can customize the domain name of the embedded ThoughtSpot instance. For more information, see Custom domain configuration.
If your deployment requires both ThoughtSpot standalone application and the embedded ThoughtSpot instance, we recommend that you host these instances on separate domains or non-overlapping sub-domains.
Define user roles and privileges🔗
The ThoughtSpot application integration involves several workflows that require users to have specific privileges:
- ThoughtSpot admin
ThoughtSpot administrators who define the authentication workflow and create user groups.
Access control in ThoughtSpot is managed through the users and groups that are stored locally on ThoughtSpot, even if the users are authenticated using SSO or Trusted Authentication. This means that to provide access to content or system privileges, admin users must create users and groups in ThoughtSpot.
Application developers with privileges to use the Developer portal and embed ThoughtSpot components in their host application.
Developer users can also customize the look and feel of the UI, add custom actions to an embedded visualization or Liveboard, and modify security settings such as CORS and CSP. For more information, see Developer access.
Define an authentication method🔗
For initial development and testing purposes, you can use the basic authentication method with session REST APIs to manage ThoughtSpot user logins and sessions. However, ThoughtSpot recommends that you use the EmbeddedSSO or trusted authentication service to authenticate users in production environments.
For more information, see Authentication.
Define security settings🔗
Before embedding, you must enable several security settings in the Developer portal for cross-domain communication.
- Cross-Origin Resource Sharing
Cross-Origin Resource Sharing (CORS) domains are the origins from which ThoughtSpot APIs can be called. When you add your host domain for CORS in the Developer portal, ThoughtSpot adds the
access-control-allow-originheader in its API responses.
- Content Security Policy
To use the Visual Embed SDK, configure the following content security policy (CSP).
CSP visual embed hosts
To allow your host domain to set the frame-ancestors CSP policy header and embed a ThoughtSpot object within your application frame, you must add your host domain as a CSP visual embed host.
If you plan to configure custom actions to invoke external URLs, you must add these URLs to the CSP connect-src domain list in the Developer portal.
For more information, see Configure security settings.
Try out the embed modules🔗
The ThoughtSpot Developer portal provides a playground for developers to explore the Visual Embed SDK components. The Playground offers an interactive coding experience for developers to evaluate the APIs and embed ThoughtSpot search, visualizations, Liveboards, or the full ThoughtSpot experience within their host application.