Secret key management

Secret key management

secret key overview🔗

The secret_key allows calling the ThoughtSpot token request REST APIs to generate a token for any user.

Requests with the secret_key do not require any type of user login or admin permissions and the secret_key is equivalent to an admin-level login for the token request REST APIs.

The secret_key must be stored securely and never exposed to end users in the web browser.

Enable Trusted authentication to get a secret key🔗

A new secret key is generated when the ThoughtSpot administrator enables Trusted authentication.


Starting from, Org administrators can generate a unique secret key for respective Orgs. To enable this feature on your cluster, contact ThoughtSpot Support.

To generate a secret key:

  1. Log in to the ThoughtSpot.

  2. If Orgs are configured on your instance, switch to the Org for which you want to generate a secret key.

    If the per-Org secret key feature is not enabled on your instance and if you want to generate a separate secret key for each Org, contact ThoughtSpot Support. ThoughtSpot also allows you to generate a secret key at the primary Org (Org 0) level and use it to obtain an authentication token for a user.

  3. Go to Develop > Customizations > Security settings.

  4. Click Edit.

  5. To enable trusted authentication, turn on the Trusted authentication toggle.

  6. To copy the secret key, click Edit again, navigate to Trusted authentication, and then click the copy to clipboard icon.

    The following example shows a ThoughtSpot-generated secret key string.


    This key is required for making API calls to get a token for ThoughtSpot users.

  7. Store the key in a secure location.

  8. Click Save Changes.

Request a new secret key🔗

Requesting a new secret_key simply involves disabling and re-enabling trusted authentication.

Any previous secret_key will be invalidated as soon as Trusted authentication has been disabled.

Disable Trusted authentication🔗

To disable Trusted authentication, follow these steps:

  1. Log in to ThoughtSpot.

  2. If the per-Org secret key feature is enabled and Orgs are configured on your instance, switch to the Org for which you want to disable trusted authentication.

  3. Go to Develop > Customizations > Security settings.

  4. Click Edit and turn off the Trusted authentication toggle.

    A pop-up window appears and prompts you to confirm the disable action.

  5. Click Disable.

    When you disable Trusted authentication, the validity of your existing secret key expires, and your app may become inoperable. To a new secret key and generate authentication tokens, you must enable Trusted authentication.