Security for embedded apps
Find answers to common security questions when embedding your app in Atlan: how authentication works, what the token can do, and how to configure headers and origin checks.
How does embedded external app authenticate user?
Atlan authenticates the user in the parent UI and shares authentication context with your app. Your app receives a JWT token and user context through the iframe postMessage handshake.
What permissions does JWT token have?
The JWT token represents the logged-in user and carries the user's existing permissions. Your app can only perform actions that the current user is allowed to perform in Atlan.
Can embedded app access Atlan cookies or Atlan UI?
No. Your app runs in a sandboxed iframe and can't access Atlan's DOM, cookies, or localStorage.
What origin checks does app need to implement?
Validate the origin of every incoming message. When sending messages to Atlan, use an explicit targetOrigin and never use '*'.
How does app store token?
Don't put tokens in URLs or logs. Store tokens in memory when possible and clear tokens when the session ends.
What headers are required for embedding?
Configure CSP on your app server so frame-ancestors includes Atlan. If your server sets X-Frame-Options, make sure it doesn't block embedding.
See also
- Embed your app: Set up iframe embedding and authentication
- Register your app: Registration fields and render locations
- Send and receive messages: Message types and payload shapes
- Connection and authentication issues: Troubleshoot embed and auth failures
Need help
If you can't find the answer you're looking for, contact Atlan support: Submit a request.