Is Metabase static embedding free?

Yes. Static embedding is available in both Metabase Open Source (free, self-hosted) and Metabase Cloud / Enterprise. You don't need an Enterprise licence just to embed.

What's the difference between static and interactive embedding?

Static embedding renders a single dashboard with JWT-signed parameters — fast, cheap, multi-tenant friendly. Interactive embedding (Enterprise-only) renders the full Metabase UI as a subpane of your app. Embedportal uses static embedding because it's the better fit for per-tenant dashboards.

How does row-level security work with Metabase?

Metabase supports locked parameters on static embeds. Embedportal signs the JWT with locked values for tenant, region, role or any custom attribute; Metabase forces the parameter value server-side so the viewer cannot change it in the UI.

Where do I find the Metabase site URL?

It's the base URL you use to sign into Metabase. For Metabase Cloud it looks like https://yourcompany.metabaseapp.com. For self-hosted, it's your company's internal domain, for example https://metabase.yourcompany.com.

How often should I rotate the embedding secret key?

Rotate at least once a year, and immediately if the key is exposed. Metabase lets you regenerate the key with one click; Embedportal can be updated with the new value in under a minute.

How to embed Metabase into Embedportal

Q: Can I embed Metabase questions as well as dashboards?

Yes. In Embedportal, when adding a navigation item for a Metabase resource, pick either Dashboard or Question and provide the respective ID. The JWT flow is the same for both.

1. Why this is needed

Metabase exposes two embedding modes: static and interactive. Static embedding uses JWT-signed URLs with locked parameters — exactly what multi-tenant SaaS embedding needs. Embedportal uses your embedding secret key to sign tokens that Metabase verifies server-side before rendering the dashboard.

works with — Metabase Open Source and Enterprise (Cloud and self-hosted). Static embedding is free in both.

2. Prerequisites

A Metabase instance with admin access.
At least one dashboard or question you want to embed.
An Embedportal workspace (Professional or Enterprise plan).
About 10 minutes.

3. Enable Static Embedding in Metabase

01

Sign in as admin

You need an administrator account on the Metabase instance.
02

Open Admin settings

Click the settings gear icon in the top right → Admin settings.
03

Toggle Enable Static Embedding

Navigate to Embedding in the left sidebar, and switch Enable Static Embedding to ON.

4. Copy the Embedding Secret Key

As soon as you enable static embedding, Metabase displays an Embedding Secret Key — a 64-character hexadecimal string. Copy it and paste it into Embedportal’s Secret Key field.

// example shape (yours will be different)
f7b2a1c9e4d8f3a2b7c1e9d4f8a3b2c7e1d9f4a8b3c2e7d1f9a4b8c3e2d7f1a9

important — this key signs every JWT. Never expose it in client-side code or commit it to a repo.

5. Enter the Metabase Site URL

Paste the base URL of your Metabase instance into Embedportal’s Metabase Site URL field.

DeploymentSite URL example

Metabase Cloud https://yourcompany.metabaseapp.com

Self-hosted https://metabase.yourcompany.com

Use the full URL with protocol, no trailing slash. This is the URL your browser uses to reach Metabase — not an API-specific endpoint.

6. Enable Embedding on Each Dashboard / Question

In Metabase, Static Embedding is enabled per resource. For every dashboard or question you want to surface in Embedportal:

Open the dashboard or question.
Click the sharing icon 🔗 → pick the Embed option.
Select Static Embedding.
Toggle Enable to make the resource embeddable.
Copy the Dashboard ID (or Question ID) from the URL or embed code.
In Embedportal, add a navigation item with that ID.

This two-sided toggle is Metabase’s way of preventing accidental embed exposure. Any resource whose embed toggle is OFF stays private even if someone knows its ID.

7. Configure Allowed Origins (optional)

In Metabase’s embedding settings, add the domains that are allowed to embed your content. A typical entry is your Embedportal domain, for example dev.atspark.com or your custom white-labeled domain.

Allowed origins adds a browser-level defence layer on top of the JWT signature: even if someone steals a signed URL, their browser will refuse to render the iframe unless they’re on an allowed origin.

8. Fields you’ll fill in Embedportal

FieldSourceRequired

Secret Key Metabase Admin → Embedding → Embedding Secret Key Yes

Metabase Site URL The base URL of your Metabase instance Yes

Click Save & Test Connection. Embedportal signs a test JWT, pings Metabase, and returns a green confirmation.

9. Row-level security (locked parameters)

Metabase’s equivalent of RLS is locked parameters. When you enable static embedding on a dashboard, you pick which parameters are locked — meaning they can only be set server-side on the signed token, not by the viewer in the UI.

In Embedportal, enable RLS on the dashboard and pick the attributes to forward. Embedportal signs the Metabase embed JWT with params filled from the viewer’s claims:

{
  "resource": { "dashboard": 42 },
  "params": {
    "organization_id": "ORG_ACME",
    "region": "emea"
  },
  "exp": 1747486500
}

For the vendor-agnostic setup, see Row-level security for embedded dashboards.

10. Security best practices

Never expose the secret key in client-side code, public repos, or browser-accessible config.
Rotate the embedding secret key at least annually (Metabase generates a new one with one click).
Use allowed origins to restrict which domains can embed your content.
Only enable embedding on dashboards that should be exposed externally.
Use locked parameters for any attribute that scopes data — never rely on a viewer-editable parameter for access control.

11. Troubleshooting

“Embedding is not enabled” — Metabase’s master toggle in Admin → Embedding is off. Turn it on.
Dashboard renders but fails to load data — embedding is enabled globally but not on this specific dashboard. Open the dashboard’s Share menu and toggle Enable for static embedding.
400 Bad JWT signature — the secret key in Embedportal doesn’t match what Metabase has. Regenerate in Metabase and paste again.
“This origin is not allowed” — your Embedportal domain isn’t on Metabase’s allowed origins list. Add it.
Locked parameter appears editable — the parameter isn’t marked as Locked on the dashboard’s embed settings. Switch it from Editable to Locked.
Metabase Site URL mismatch — if you change Metabase’s public URL (for example moving from http to https), update the Embedportal field too.

12. FAQ

Is Metabase static embedding really free?

Yes. Static embedding is included in Metabase Open Source and Metabase Cloud / Enterprise alike. There’s no separate licence to embed into Embedportal.

Static vs interactive embedding — which does Embedportal use?

Embedportal uses static embedding. It’s the right fit for per-tenant dashboards with locked parameters and JWT signing. Interactive embedding re-renders the full Metabase UI and requires an Enterprise licence.

Can I embed Metabase questions as well as dashboards?

Yes. Add a navigation item with either the Dashboard ID or Question ID. The JWT flow is identical for both.

How does RLS work?

Lock the parameters on the dashboard’s embed settings. Embedportal will pass the viewer’s attributes as params on the JWT, and Metabase forces those values server-side.

Where do I find the dashboard ID?

Open the dashboard in Metabase. The number at the end of the URL (e.g. .../dashboard/42) is the Dashboard ID. Or look at the embed code on the Share menu.

Does Embedportal store the embedding secret key?

It stores the encrypted secret at rest (AES-256-GCM) and never sends it to the browser. The key is used only on Embedportal’s backend to sign short-lived Metabase embed JWTs.

Ready to embed Metabase?

Two fields, ten minutes. Start on Professional with a 14-day free trial — no credit card, unlimited dashboards and users.

Start free trial Book a walkthrough

How to embed Metabase into Embedportal.