@tbba opened this Issue on January 23rd 2023

Hi, I can get a widget code like this for embedding on a website:

_https://domain.de/matomo/index.php?module=API&format=HTML&idSite=1&period=day&date=2022-12-24,2023-01-22&method=API.get&filter_limit=100&format_metrics=1&expanded=1&token_auth=ENTER_YOUR_TOKEN_AUTH_HERE_

I found the instruction funny:
The "Do not give the TOKEN away" warning, while this needs to be openly embedded as a GET variable?

_Replace ENTER_YOUR_TOKEN_AUTH_HERE in the export URL with your authentication token. 
Warning: Never give the URL with the real token to anyone._

I think this needs to be explained.

Matomo 4.13.1.

@bx80 commented on January 25th 2023 Contributor

Hi @tbba,

Thanks for the feedback.

The token is specific to each user and for security reasons one user's token should not be shared with another user, however for the link to work the a user token does need to be included. The ENTER_YOUR_TOKEN_AUTH_HERE serves as a placeholder to help people see where to add their own token to the link.

You can read the original thinking behind this change here

The "Do not give the TOKEN away" warning is there for users with non-technical backgrounds for whom it might not be obvious that URLs containing security tokens should not be shared.

The full export report instruction reads:

"Note: To use the generated export URL, you will need to specify an app token auth. You can configure these tokens in [Admin → Security → Auths Tokens]. Replace ENTER_YOUR_TOKEN_AUTH_HERE in the Export URL by your Auth token. Warning: Never share the URL with the real token with anyone else."

Could you be a bit more specific about which part of this you think needs more explanation? Would a link to a step-by-step guide showing how to create a new token and update the URL be helpful?

Powered by GitHub Issue Mirror