Blog · 7 min read

Embedding Metabase dashboards in a SaaS product: the three modes and multi-tenant isolation

Putting a dashboard inside your product is easy. Making sure each customer sees only their own data — with no leakage — is what separates a demo from production.
By · published on

You built a SaaS product and your customer wants to see their own numbers inside it — not in another tool, behind another login. Metabase solves this with embedding, but "embed a dashboard" hides three very different modes and one question that decides everything: how to guarantee each customer sees strictly their own data.

Why embed analytics in the product

Sending the customer to a separate tool costs context, login and adoption. Embedded analytics — dashboards inside your own interface, with your brand — becomes part of the product: the data shows up where the decision happens. The question is never whether, it is how — and the "how" in Metabase has three forms.

The three Metabase embedding modes

The problem that decides everything: multi-tenant isolation

In a multi-tenant product, the worst possible mistake is one customer seeing another customer data. Safe isolation depends on the mode:

What never to do

Choosing the right mode

Rule of thumb: if the customer only needs to view a panel per tenant, signed static embedding handles it — and runs on open source. If they need to explore and build questions with row-level isolation, it is interactive embedding + data sandboxing (Enterprise). If exploration is needed but the budget is OSS, separate the data per tenant in the architecture. The mistake is choosing by the shine of the demo, not by the real isolation requirement.

Systems we connect here

Frequently asked questions

Can you do secure multi-tenant embedding on open-source Metabase?

Yes, for fixed panels per customer: static embedding uses a JWT signed on your server with the tenant identifier locked as a parameter. The customer cannot forge another. For open exploration with automatic row-level isolation, you do need the data sandboxing of Pro/Enterprise — or separate the data per connection/schema per tenant on open source.

Can a customer bypass the filter and see another tenant data?

No, if the tenant identifier is a locked parameter inside the signed token (or applied by data sandboxing). Because the signature is made with a server secret, altering the token invalidates the embed. Leakage only happens when the filter is passed via an editable URL or applied only in the front-end — exactly what the correct architecture prevents.

Start at no cost

Want embedded analytics in your product, with leak-proof per-customer isolation? Free 48-hour diagnostic.

We map your current systems, point out the biggest bottlenecks and deliver a plan prioritized by risk × effort. You leave with clarity — whether you hire Meta Dados or not.

Get my diagnostic → Chat on WhatsApp No commitment, no credit card.
We reply within 2 business hours.
←  Voltar para Blog