> For the complete documentation index, see [llms.txt](https://docs.toucanai.cloud/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.toucanai.cloud/embed/authentication/authentication-models-1.md).

# Copy of Authentication models

Embedding analytics securely means choosing the right authentication model for your product and users. Toucan AI supports flexible authentication approaches to fit a variety of integration scenarios, from simple SaaS products to complex, multi-tenant platforms.

### Why Authentication Matters

Authentication ensures that only authorized users can access embedded dashboards, charts, and AI assistants. It also enables fine-grained control over what data each user can see, supporting row-level security, multi-tenancy, and compliance requirements.

***

### Supported Authentication Models

#### 1. Token-Based Authentication (Recommended)

**How it works:**

* Your backend authenticates the user (via your own auth system: SSO, OAuth, JWT, etc.).
* Your backend generates a signed token (using your Toucan AI API key) that encodes the user’s identity, permissions, and any custom attributes (e.g., organization, department, region).
* The token is passed to the embedded Toucan AI component in the frontend.
* Toucan AI validates the token and enforces access control and row-level security.

**Best for:**

* Most production use cases
* Multi-tenant SaaS platforms
* Scenarios requiring row-level security or user-specific data

**Benefits:**

* Secure: API keys and signing logic stay server-side
* Flexible: Supports custom attributes and fine-grained access
* Scalable: Works with any authentication provider

***

#### 2. API Key Authentication (For Testing & Development)

**How it works:**

* You use your Toucan AI API key directly to generate tokens in a sandbox or development environment.
* API keys should never be exposed in client-side code or production environments.

**Best for:**

* Local development
* Testing embedding and integration flows

**Benefits:**

* Quick setup for prototyping
* Not recommended for production

***

#### 3. Single Sign-On (SSO) Integration

**How it works:**

* Your application handles SSO (e.g., SAML, OAuth, OpenID Connect) for user authentication.
* After authentication, your backend generates a Toucan AI token for the user session.
* The rest of the flow is identical to token-based authentication.

**Best for:**

* Enterprise deployments
* Organizations with centralized identity providers

***

### How to Choose

* For most use cases: Use token-based authentication, generated server-side after your own user authentication.
* For internal tools or demos: API key authentication is acceptable, but never expose keys in production.
* For enterprise SSO: Integrate your SSO provider and generate tokens after successful login.

***

### Example Flow

<figure><img src="/files/Ie6KaBBHgQYLEkm9qJeM" alt="Authentication Flow"><figcaption></figcaption></figure>

***

### Best Practices

* Always generate and sign tokens server-side.
* Never expose API keys or signing secrets in client-side code.
* Use short-lived tokens and rotate API keys regularly.
* Include only necessary attributes in tokens for access control and row-level security.

***

### Summary

Toucan AI’s authentication models are designed to be secure, flexible, and easy to integrate—so you can deliver embedded analytics with confidence.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.toucanai.cloud/embed/authentication/authentication-models-1.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.