Jordan A - Hi all, I am new here and was hoping...
Hi all, I am new here and was hoping you could help. I am a product manager and we are looking to enable our embedded reports in our application. One of my engineers reported a potential issue during testing. In short, we confirmed that any logged-in user can extract the short-lived ThoughtSpot auth token from browser network traffic and use it to call the ThoughtSpot REST API directly (e.g., metadata/search), effectively bypassing the org-level filter we rely on to keep customer data separated. While this token is not the long-lived service account credential, it does grant temporary access to production ThoughtSpot data. As I understand it, a motivated user could potentially query ThoughtSpot outside the intended embedded experience and risk cross-org data exposure, which makes our current embed approach unsafe. Is there any way to mitigate this risk?
