Execution contract
Follow the workflow steps in order — do not skip any step. Create the checklist first, then execute each step and explicitly mark it done with evidence. Each step's output feeds into the next, so skipping steps produces wrong migrations.
If you cannot complete a step due to missing info or tool failure, you must:
- record the step as ❌ blocked,
- explain exactly what is missing / what failed,
- stop (do not proceed to later steps).
Required output structure
Your response should contain these sections in this order:
- Step 0 Results: Metabase Version Detection
- Step 0.1: Migration Plan Checklist
- Step 1 Results: Project Scan + Docs Fetch
- Step 2 Results: Static Embed Analysis & Web Component Mapping
- Step 3: Migration Plan
- Step 4: Applied Code Changes
- Step 5: Validation
- Step 6: Final Summary
Each step section should end with a status line:
Steps are sequential — do not start a step until the previous one is ✅ complete.
Evidence requirements
- Step 0: Metabase version detected (source: Docker tag, env var, or user answer).
- Step 1: every matched file path, every static embed location, JWT signing code, layout/head file, Metabase config variables, fetched docs listing.
- Step 2: per embed — parsed iframe URL, content type, token variable, hash params, mapped web component with attributes.
- Step 3: the complete file-by-file change plan with exact old/new code.
- Step 4: per file — what was changed and exact diffs applied.
- Step 5: each validation check's pass/fail result with evidence.
Architectural conformance
Follow the app's existing architecture, template engine, layout/partial system, code style, and route patterns. Do not switch paradigms (e.g., templates to inline HTML or vice versa). If the app has middleware for shared template variables, prefer that over duplicating across route handlers.
The web component must be rendered using the
same delivery mechanism as the static iframe it replaces. If the iframe was rendered by a server-side template (EJS, Jinja, ERB, Blade, etc.), the web component should be rendered by the same template. If the iframe was returned as inline HTML from a route handler (e.g.,
), the web component should be returned the same way. If the iframe was in a static HTML file, the web component goes in that same file. Do not move rendering from one layer to another — the migration should be a drop-in replacement at the same point in the rendering pipeline.
Token delivery must use the same mechanism as the original static embedding. If the JWT was rendered server-side into the HTML (e.g.,
<iframe src=".../${token}">`)
), the migrated web component should receive its token the same way — rendered server-side into the
token
<metabase-dashboard token="${token}">
). If the JWT was fetched client-side via
fetch()
fetch()` for the token. Do not change the delivery mechanism — just change what is delivered (raw token instead of full iframe URL).
Credential safety
This migration touches code that handles
and signed JWTs. Rules:
- Never output literal secret values — if you encounter a hardcoded secret key or token string in the code, reference it by variable name only (e.g., "the secret in "), never echo the value itself
- In code diffs and summaries, use variable references (, ) — not the resolved values
- If you find hardcoded secrets, flag them to the user and recommend moving them to environment variables as part of the migration
Performance
- Maximize parallelism within each step. Use parallel Grep/Glob/Read calls in single messages wherever possible.
- Do not use sub-agents for project scanning — results need to stay in the main context for cross-referencing in later steps.
- Do not parse repo branches, commits, PRs, or issues.
Scope
This skill converts static (signed) iframe embedding to guest embeds (web-component-based via
). Both approaches use the same authentication model — signed JWTs with
— so the backend signing logic is preserved. The migration changes how the signed content is delivered: from iframes with JWT-in-URL to web components with a
attribute.
The consumer's app may be written in any backend language (Node.js, Python, Ruby, PHP, Java, Go, .NET, etc.) with any template engine. Keep instructions language-agnostic unless a specific language is detected in Step 1.
What this skill handles
- Replacing signed elements (, ) with web components (
<metabase-dashboard token="...">
<metabase-question token="...">
- Adding the script tag (exactly once at app layout level)
- Adding with (exactly once at app layout level)
- Mapping iframe hash parameters (, ) to web component attributes
- Preserving the existing JWT signing logic — the backend still signs tokens with using the same payload
- Converting how the signed token reaches the frontend (from iframe URL path to template variable passed as attribute)
- Mapping locked in the JWT to attribute where applicable
- Removing references if present
What this skill does not handle
- Migrating to SSO-based modular embedding (with user accounts) — this skill targets guest embedding only
How guest embeds differs from static iframe embedding
The auth model is the
same — both use
to sign JWTs with
. What changes is how the embed is rendered:
| Aspect | Static embedding (iframe) | Guest embeds (web component) |
|---|
| Element | <iframe src="/embed/dashboard/{JWT}#params">
| <metabase-dashboard token="{JWT}">
|
| Token delivery | Baked into iframe URL path | Passed as attribute |
| Config | None (iframe is self-contained) | window.metabaseConfig = { isGuest: true, instanceUrl: "..." }
|
| Script | Optional | Required |
| Appearance | Hash params () | Component attributes () |
| Locked params | In JWT field | Same JWT field (unchanged) |
| Secret key | | Same |
Guest embeds support additional attributes (e.g., downloads, drill-through, hidden parameters) not available in static embedding. Consult the fetched docs for the full list of available attributes for the target version.
Allowed documentation sources
Fetch the version-specific
using this URL:
https://www.metabase.com/docs/v0.{VERSION}/llms-embedding-full.txt
The version in the URL uses the format
(normalize: strip leading
or
, drop patch — e.g.,
→
→ URL uses
). This single file contains all embedding documentation for that version, optimized for LLM consumption.
Other constraints:
- No GitHub PRs/issues or npm pages
- Do not follow changelog links to GitHub or guess URLs
AskUserQuestion triggers
Use AskUserQuestion and halt until answered if:
- The Metabase instance URL cannot be determined from project code or environment variables
- The backend language cannot be determined
- The Metabase instance version cannot be determined from the project code
- No layout/head file can be identified (unclear where to inject embed.js)
- Multiple layout files exist and it is unclear which one(s) to use
Pre-workflow steps
Migration Plan Checklist
Create a checklist to track progress. In Claude Code, use TaskCreate/TaskUpdate tools:
- Step 0: Detect Metabase version
- Step 1: Scan project + fetch target version docs
- Step 2: Analyze static embeds and map to web components (using docs)
- Step 3: Plan migration changes
- Step 4: Apply code changes
- Step 5: Validate changes
- Step 6: Final summary
Workflow
Step 0: Detect Metabase version
Before anything else, determine the Metabase version. Grep the project for Docker image tags (
,
metabase/metabase-enterprise:v
),
, or version references. If undetected, AskUserQuestion (options:
,
,
). Abort if < v53 (modular embedding not available). Record the version.
Step 1: Scan the project + fetch docs
Perform the project scan and doc fetch concurrently — they are independent. Use parallel tool calls within a single message wherever there are no dependencies.
1a: Fetch target version docs
Fetch
for the target version (see "Allowed documentation sources" for URL format). These docs are the authoritative source for web component attributes,
options, and guest embedding configuration for the target version. Use them in Step 2 for mapping instead of relying on hardcoded tables alone.
Launch this concurrently with the project scan steps below.
1b: Identify backend language and framework
- Check for dependency/build files (, , , , , , etc.).
- Identify the template engine and record the language and framework.
1c: Check for existing modular embedding setup
Grep for these patterns (in parallel) to detect if the app already has modular embedding configured:
- — existing embed.js script tag
- — existing config assignment
Record whether each is already present and where. If both already exist (e.g., the app uses modular embedding alongside static embedding), Steps 3a and 3b will skip adding them.
1d: Find ALL static embedding code
Use Grep to search for all of these patterns (in parallel):
- in all files — static embed dashboard URLs
- in all files — static embed question URLs
- in all template/HTML/JSX/view files — the embed elements
- or
METABASE_EMBEDDING_SECRET_KEY
- near or — JWT payload structure
- — optional auto-resize script
For each file with a match, read the entire file.
1e: Find JWT signing code
Use Grep to search for all of these patterns (in parallel):
- or or or or or
- or
- combined with (the static embed JWT payload shape)
For each matching file, read the entire file.
1f: Find the layout/head file(s)
Find the single file (or common code path) where the HTML
section is defined — this is where
and
will be injected (unless already present per Step 1c).
Search for:
- or or in template/view files
- Layout/wrapper patterns: , , , , , , ,
- If the app builds HTML via inline strings in server code (e.g., ), identify where the content is generated
1g: Find Metabase configuration
Grep for
and
prefixed variables. Record every Metabase-related variable name and where it is read.
Output: Structured Project Inventory
Compile all findings into:
Backend: {language}, {framework}, {template engine}
Metabase config:
- Site URL variable: {name} (read at {file}:{line})
- Secret key variable: {name} (read at {file}:{line})
- Other variables: ...
Layout/head file: {path}:{line range}
Static embeds found: {count}
- {file}:{line} — {brief description} (dashboard/question, ID: {id})
- ...
JWT signing: {file}:{line} — {library used}
JWT payload: resource type={dashboard|question}, params={list or "none"}
iframeResizer: {present|not present}
Existing modular embedding: {embed.js: yes/no, metabaseConfig: yes/no}
Step 2: Analyze static embeds and map to web components (ONLY after Step 1 ✅)
Use the documentation fetched in Step 1a as the authoritative reference for web component attributes,
options, and guest embedding behavior. The hardcoded tables below are fallbacks — if the docs describe additional attributes or different behavior for the target version, prefer the docs.
For each static embed found in Step 1:
2a: Parse the signed iframe URL
Extract from the iframe
attribute:
- Metabase base URL: may come from env var, constant, or be hardcoded
- Resource type: or (from the path)
- Resource ID: the numeric ID from the JWT field (e.g.,
resource: { dashboard: 10 }
- Locked parameters: any in the JWT payload (e.g.,
params: { category: ["Gadget"] }
- Hash parameters: appearance customization after (e.g.,
#titled=true&bordered=false
- iframeResizer usage: whether is called on this iframe
2b: Map content type to web component
| Static embed URL pattern | Modular Web Component | Required Attribute |
|---|
| | |
| | |
The
attribute receives the same signed JWT that was previously baked into the iframe URL. The backend signing code stays the same — only the delivery mechanism changes.
If the token was built dynamically in a template (e.g.,
src="<%= metabaseUrl %>/embed/dashboard/<%= token %>"
), extract the token variable and pass it as the
attribute (e.g.,
).
2c: Map hash parameters
Parameters that map to web component attributes:
| Static embedding hash params | Guest embeds equivalent |
|---|
| on the component |
| No direct equivalent — drop (web components have no border chrome) |
| No direct equivalent — drop (handled by Metabase instance config) |
| Use window.metabaseConfig.theme
|
2d: Map locked and editable parameters
Locked parameters (in JWT
field) — no change needed. They remain in the JWT and continue to work the same way. The signed token already contains them.
Editable parameters — if the static embed allowed users to interact with filters, these can now be set as defaults via the
attribute:
html
<metabase-dashboard
token="{JWT}"
initial-parameters='{"category":["Doohickey","Gizmo"]}'
></metabase-dashboard>
sets default filter values that the user can change. This is a new capability not available in static iframe embedding.
2e: Output Migration Mapping Table
For each static embed, output:
embed #{n}: {file}:{line}
Old: {iframe HTML or signing + iframe code}
Content type: {dashboard|question}
Token variable: {template expression for the signed JWT}
Locked params: {in JWT — no change needed}
Hash params: {list or "none"}
Dropped params: {list}
Mapped attributes: {list}
New: {exact replacement web component HTML}
Step 3: Plan migration changes (ONLY after Step 2 ✅)
Create a complete file-by-file change plan covering all areas below. Every change should be specified with the target file, the old code, and the new code.
3a: metabaseConfig — exactly once per app
Skip this step if Step 1c found an existing assignment. If it exists but is missing
, add that field to the existing config instead of creating a new one.
- Target: the layout/head file identified in Step 1f
- Location: inside , before the embed.js script tag (the config must be set before embed.js loads)
- Code to add:
html
<script>
window.metabaseConfig = {
isGuest: true,
instanceUrl: "{METABASE_SITE_URL}",
};
</script>
- is required — it tells embed.js to use guest (signed token) mode instead of SSO mode.
- should be rendered dynamically using the project's template expression syntax.
- Locale: If a parameter was found in any static embed hash, add to the config object.
- Consult the fetched docs (Step 1a) for any additional options supported by the target version (e.g., , ).
- should be set exactly once.
3b: embed.js script injection — exactly once per app
Skip this step if Step 1c found an existing embed.js script tag.
- Target: same layout/head file as 3a
- Location: inside , after the script (embed.js reads the config on load)
- Code to add:
html
<script defer src="{METABASE_SITE_URL}/app/embed.js"></script>
- should be rendered dynamically using the project's existing template expression syntax.
- Verify this will appear exactly once in the rendered HTML regardless of which page the user visits.
3c: Refactor backend token delivery
The backend already has JWT signing code that produces the token. Currently it builds a full iframe URL (
/embed/dashboard/{token}#params
). The signing logic stays — but how the token reaches the frontend changes:
- Before: Backend builds full iframe URL string, passes to template, template renders
- After: Backend passes just the signed token to the template, template renders
<metabase-dashboard token="{token}">
For each signing location found in Step 1d:
- Keep the JWT signing call (
jwt.sign(payload, METABASE_SECRET_KEY)
- Remove the URL construction code that prepended
{baseUrl}/embed/dashboard/
- Pass the raw token string to the template context instead of the full URL
If the signing happens inline in the template handler (not in a shared function), the change is local to that handler.
3d: iframe replacement plan
For EACH iframe from Step 2e's Migration Mapping Table:
- Specify: file path, exact old code to replace, exact new code
- The new web component uses where is the template expression for the signed JWT
- Map hash parameters to component attributes per Step 2c
- Preserve styling: Transfer the iframe's sizing directly to the web component element — no wrapper needed:
- If the iframe had / HTML attributes or inline , apply them directly to the web component (e.g.,
<metabase-dashboard token="..." style="width:800px;height:600px">
- If the iframe was styled via CSS classes, apply those classes directly to the web component
- If the iframe was inside a container that already controls sizing, no extra styling needed — the web component will fill that container
- If the iframe used for auto-height, drop it — web components handle their own sizing
- Remove any calls associated with this iframe
3e: Dead code removal
After replacing iframes, identify and remove:
- URL construction code that built
/embed/dashboard/{token}#params
/embed/question/{token}#params
- script tag and any calls
- Hash parameter string construction (e.g.,
const mods = "titled=true&bordered=false"
- Any helper functions that were only used for building static embed iframe URLs
Do not remove:
- JWT signing code (
jwt.sign(payload, METABASE_SECRET_KEY)
- env var — still used
- JWT library imports — still used
- Any code used by other parts of the application
3f: Metabase admin configuration notes (manual steps for the user)
List these as part of the plan — they will be included in the final summary:
- Enable modular embedding: Admin > Embedding > toggle "Enable modular embedding"
- Enable guest embedding: Admin > Embedding > ensure "Guest embedding" (or "Static embedding" in older UI) is enabled. The existing static embedding secret key is reused.
- Configure CORS origins: Admin > Embedding > Security > add the host app's domain (e.g., ). This is new — static iframe embedding did not require CORS configuration.
Step 4: Apply code changes (ONLY after Step 3 ✅)
Apply all changes from Step 3 in this order:
- First: Add assignment and embed.js script tag to the layout/head file (Step 3a + 3b, config before embed.js)
- Second: Refactor backend token delivery — keep signing, remove URL construction (Step 3c)
- Third: Replace each iframe with its web component (Step 3d), one file at a time
- Fourth: Remove dead code — iframeResizer, URL builders (Step 3e)
Constraints:
- Use the Edit tool with precise / for every change
- Do not add new package dependencies — modular embedding requires only the embed.js script served by the Metabase instance
- Do not change or remove — it is still used for signing
- If a file requires multiple edits, apply them top-to-bottom to avoid offset issues
Step 5: Validate changes (ONLY after Step 4 ✅)
Perform all of these checks. Each check should have an explicit pass/fail result.
5a: No remaining static embed iframes
Use Grep to search for
and
across all project files (excluding
,
, lockfiles).
Pass criteria: zero static embed URL constructions found (the pattern may still appear in comments — verify these are not live code).
5b: embed.js appears exactly once
Use Grep to search for
across all project files (excluding
,
).
Pass criteria: exactly ONE occurrence in the layout/head file.
5c: window.metabaseConfig is set exactly once
Use Grep to search for
across all project files (excluding
,
).
Pass criteria: exactly ONE occurrence with
.
5d: JWT signing code is preserved
Read the JWT signing file(s). Verify:
- (or equivalent) call still exists
- is still read from environment
- JWT payload still contains and fields
Pass criteria: signing logic intact.
5e: No remaining iframeResizer references
Use Grep to search for
and
across all project files.
Pass criteria: zero references remain (or only in unrelated code).
5f: Spot-check modified files
Read each modified file and verify:
- Web components have attribute with correct template expression
- Template syntax is valid (no unclosed tags, correct expressions)
- Dead code identified in Step 3e has been removed
Pass criteria: all checks pass.
If ANY check fails:
- Fix the issue immediately
- Re-run the specific check
- If unable to fix after 3 attempts, mark Step 5 ❌ blocked and report which check failed and why
Step 6: Output summary
Organize the final output into these sections:
- Changes applied: list every file modified and a one-line description of each change
- Web component mapping: table showing each old signed iframe → new web component:
| File | Old | New |
|---|---|---|
| views/analytics.ejs | <iframe src="/embed/dashboard/{token}#titled=true"> | <metabase-dashboard token="{token}" with-title="true"> |
- What stayed the same: JWT signing logic, , locked parameters in JWT field
- Dropped parameters: list of static embed hash parameters that were dropped, with brief explanation
- New capabilities available: features now accessible that weren't in static iframe embedding:
- attribute for editable filter defaults
- attribute for enabling downloads (Pro/Enterprise)
- Better mobile responsiveness (web components adapt to container)
- Manual steps required (Metabase admin configuration from Step 3f):
- Enable modular embedding
- Ensure guest embedding is enabled (reuses existing secret key)
- Configure CORS origins (new requirement)
- Behavioral differences the user should be aware of:
- Web components expand to fill their container — if the iframe had fixed dimensions, verify the container provides appropriate sizing
- The appearance option is no longer available — web components render without a frame
- Auto-refresh () is no longer controlled per embed — configure it in Metabase instance settings instead
Retry policy
Doc fetching:
- If fetching returns 404, verify the Metabase version number and retry. If still failing, mark Step 1 ❌ blocked.
Validation:
- If any validation check in Step 5 fails after 3 fix attempts, mark Step 5 ❌ blocked and report which check failed and why.
- If AskUserQuestion is not answered, remain blocked on that step — do not guess or proceed with assumptions.