search

Security boundaries

Embedding analytics with Toucan AI is designed to keep your data secure and your users’ access tightly controlled. Understanding the security boundaries helps you integrate analytics confidently and in compliance with your organization’s requirements.

hashtag
Key Security Principles

  • Separation of Concerns: Your application is responsible for authenticating users and generating secure tokens. Toucan AI only processes requests and data that are explicitly authorized by these tokens.

  • Token-Based Access Control: All embedded dashboards, charts, and assistants require a valid, signed token. Tokens define:

    • Which user or tenant is accessing the data

    • What data they are allowed to see (row-level security, object-level access)

    • The expiration and scope of access

  • Row-Level Security (RLS): You can enforce fine-grained data access by mapping token attributes (e.g., user ID, department, region) to database columns. This ensures users only see the data they’re permitted to view.

  • API Key Management: API keys are used to generate tokens and should always be kept server-side. Never expose API keys in client-side code or public repositories.

  • Origin Restrictions: You can restrict where Toucan AI components can be embedded by specifying allowed origins (domains) in your settings. Only requests from these origins will be honored.

  • Data Residency & Deployment: Toucan AI supports both SaaS and self-hosted deployments. For sensitive or regulated data, you can deploy Toucan AI within your own infrastructure to maintain full control over data residency and compliance.

hashtag
Security Responsibilities

Responsibility
Your App / Backend
Toucan AI Platform

User authentication

Token generation

API key storage

Data access control

(via token attributes)

(enforced at query time)

Data storage

(if using SaaS)

Visualization rendering

Row-level security

(define rules)

(enforce rules)

hashtag
Best Practices

  • Always generate and sign tokens server-side.

  • Use short-lived tokens and rotate API keys regularly.

  • Apply row-level security for multi-tenant or sensitive data scenarios.

  • Restrict allowed origins to trusted domains.

  • Regularly audit token scopes and access logs.

hashtag
Summary

Toucan AI is built to respect your security boundaries. By combining robust token-based access, row-level security, and flexible deployment options, you can embed analytics with confidence—knowing your data and users are protected at every step.

PreviousTypical architecturesNextAuthentication

Last updated