What authentication methods does Metabase support?

Metabase supports internal username/password, LDAP, Google Sign-In, and SAML for user authentication. For programmatic access and embedding, it uses API keys and signed tokens.

Can I use Single Sign-On (SSO) with Metabase?

Yes, Metabase supports SSO through Google Sign-In and SAML, allowing integration with identity providers like Okta, Azure AD, or OneLogin. This enables centralized user management.

How do I set up LDAP authentication in Metabase?

LDAP authentication is configured in the Metabase Admin Panel under 'Authentication'. You will need to provide details such as your LDAP server host, port, bind DN, and user search base. Full instructions are available in the Metabase documentation.

Are API keys available for Metabase?

Metabase uses session tokens for direct API access after a user authenticates. For embedding dashboards securely, Metabase generates signed JSON Web Tokens (JWTs) rather than persistent API keys, which expire and are tied to specific permissions.

Does Metabase support Multi-Factor Authentication (MFA)?

Metabase itself does not natively provide MFA, but it can leverage MFA capabilities of integrated SSO providers like Google Sign-In or SAML identity providers. If your IdP supports MFA, users will be prompted for it during the login process.

How are user passwords stored in Metabase?

For internal Metabase accounts, passwords are not stored in plain text. They are hashed using secure cryptographic algorithms before being saved in Metabase's application database to protect user credentials.

What are the security best practices for Metabase authentication?

Key best practices include using strong passwords, implementing SSO with MFA, securely managing API keys/tokens, applying the principle of least privilege, regularly reviewing access logs, and keeping your Metabase instance updated.

Metabase Authentication: Methods, Setup & Security (2026)

Metabase authentication: Metabase supports several methods for user authentication, including username/password, LDAP, Google Sign-In, and SAML-based Single Sign-On (SSO). API keys are available for programmatic access and embedding. Configuration typically occurs within the Metabase administrative settings, enabling secure access control for data exploration and visualization.

Authentication overview

Metabase provides various authentication mechanisms to control access to its analytics platform, catering to different deployment scenarios and organizational security requirements. These methods range from internal username and password management to integration with external identity providers through Single Sign-On (SSO) protocols. The choice of authentication method depends on factors such as existing IT infrastructure, the need for centralized user management, and compliance considerations. Proper authentication ensures that only authorized users can access sensitive data and dashboards within Metabase.

For self-hosted Metabase instances, administrators have direct control over the configuration of authentication settings, often involving environment variables or direct database configuration. Metabase Cloud instances manage some of these complexities, offering streamlined setup for common SSO providers. Beyond user authentication, Metabase also employs API keys for programmatic interactions, such as embedding dashboards or automating data refreshes, which require a different approach to credential management and security.

Supported authentication methods

Metabase supports a range of authentication methods, allowing organizations to choose the most suitable option for their security policies and existing identity management systems. The primary methods include:

Internal Username and Password: This is the default authentication method for new Metabase instances. Users create accounts directly within Metabase, and their credentials (hashed passwords) are stored in Metabase's application database. This method is suitable for smaller teams or initial setups without existing identity providers.
LDAP (Lightweight Directory Access Protocol): Metabase can integrate with LDAP servers, allowing organizations to authenticate users against their existing directory services like Microsoft Active Directory. This centralizes user management and leverages existing security policies.
Google Sign-In: For organizations using Google Workspace, Metabase offers integration with Google Sign-In. This enables users to authenticate using their Google accounts, simplifying the login process and potentially benefiting from Google's multi-factor authentication (MFA) capabilities. Further details on this integration are available in the Metabase Google SSO documentation.
SAML (Security Assertion Markup Language): SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). Metabase acts as a service provider, integrating with various SAML-compliant identity providers such as Okta, OneLogin, or Azure AD. SAML integration is a common choice for enterprises seeking robust SSO capabilities and centralized access control. The Metabase SAML authentication guide provides setup instructions.
API Keys: For programmatic access, such as embedding Metabase dashboards into other applications or interacting with the Metabase API, API keys are used. These keys allow external applications to authenticate and perform actions on behalf of a specific user or a service account.

Authentication methods comparison

Method	When to Use	Security Level	Complexity
Internal Username/Password	Small teams, initial setup, no existing IdP	Medium (dependent on password policies)	Low
LDAP	Organizations with existing LDAP/Active Directory	High (leverages existing directory security)	Medium
Google Sign-In	Organizations using Google Workspace	High (benefits from Google's security, MFA)	Low-Medium
SAML	Enterprises needing centralized SSO, custom IdP integration	High (robust standard, supports MFA via IdP)	Medium-High
API Keys	Programmatic access, embedding, integrations	High (if managed securely, rotated)	Medium

Getting your credentials

The process for obtaining and managing credentials in Metabase varies by authentication method:

Internal Username and Password:
- Initial Setup: The first user to access a new Metabase instance creates an admin account with a username and password.
- User Creation: Administrators can create new user accounts directly within the Metabase Admin Panel under 'People'. Users can also sign up if self-service registration is enabled.
- Password Reset: Users can reset their passwords via the login page if email settings are configured, or administrators can reset them from the 'People' section.
LDAP, Google Sign-In, and SAML:
- Configuration: An administrator must configure the respective SSO method in the Metabase Admin Panel under 'Authentication'. This involves providing details such as LDAP server settings, Google API client IDs, or SAML metadata. Refer to the Metabase authentication setup documentation for comprehensive guides.
- User Provisioning: Users typically log in using their existing credentials from the linked identity provider. Metabase can often provision user accounts automatically upon their first successful login (Just-In-Time provisioning).
- Credential Management: User credentials (passwords) are managed by the external identity provider (e.g., Google, your LDAP server, your SAML IdP), not by Metabase.
API Keys:
- Generation: API keys are typically generated programmatically or via specific administrative interfaces depending on the context (e.g., embedding tokens). For embedding, Metabase generates signed tokens that expire, rather than persistent API keys. For direct API access, session tokens are obtained after authenticating with a username/password or an existing API key.
- Management: API key management, including rotation and revocation, should be handled carefully to maintain security. Metabase's embedding feature often uses signed JSON Web Tokens (JWTs), which have built-in expiration and are tied to specific user permissions. Information on embedding can be found in the Metabase embedding guide.

Authenticated request example

Metabase's API is primarily used for administrative tasks, embedding, or integrating with other applications. Most API interactions require a session token obtained after successful authentication. Here's an example of how to obtain a session token and then use it for a subsequent API request using curl.

Step 1: Obtain a Session Token (Login)

This example assumes internal username/password authentication. Replace your_metabase_url, your_username, and your_password with your actual details.

curl -X POST \
  -H "Content-Type: application/json" \
  -d '{"username": "your_username", "password": "your_password"}' \
  "https://your_metabase_url/api/session"

The response will contain a session_id. For example:

{
  "id": "your_session_id",
  "last_login": "2026-05-29T10:00:00Z",
  "first_login": false
}

Step 2: Use the Session Token for an Authenticated Request

Once you have the session_id, you can include it in the X-Metabase-Session header for subsequent API calls. This example fetches information about databases configured in Metabase.

curl -X GET \
  -H "X-Metabase-Session: your_session_id" \
  "https://your_metabase_url/api/database"

For embedding, Metabase typically uses signed JWTs rather than direct session IDs. These tokens are generated by your application server and include parameters defining the user, permissions, and dashboard to be embedded. The Metabase embedding documentation provides detailed examples for generating these tokens.

Security best practices

Implementing strong authentication and access control is critical for securing data within Metabase. Adhering to these best practices helps protect against unauthorized access and data breaches:

Use Strong, Unique Passwords: For internal Metabase accounts, enforce strong password policies, including length, complexity, and regular rotation. Avoid reusing passwords across different services. This is a fundamental principle of web authentication security.
Implement Single Sign-On (SSO): Whenever possible, integrate Metabase with an existing SSO solution (SAML, Google Sign-In, LDAP). SSO centralizes user management, reduces password fatigue, and often enables advanced security features like Multi-Factor Authentication (MFA) provided by the IdP.
Enable Multi-Factor Authentication (MFA): If using an SSO provider that supports MFA (e.g., Google Sign-In, SAML IdPs like Okta), ensure it is enabled for all Metabase users. MFA adds an extra layer of security by requiring users to provide two or more verification factors to gain access.
Manage API Keys Securely: For programmatic access, treat API keys with the same care as passwords. Store them securely (e.g., environment variables, secret management services), limit their scope to only necessary permissions, and rotate them regularly. Avoid hardcoding API keys directly into codebases.
Apply Principle of Least Privilege: Configure user and group permissions in Metabase to grant only the minimum necessary access to data and features. Regularly review and update these permissions.
Regularly Review Access Logs: Monitor Metabase access logs for unusual activity, failed login attempts, or unauthorized access patterns. This can help detect and respond to potential security incidents promptly.
Keep Metabase Updated: Ensure your Metabase instance (especially self-hosted) is always running the latest stable version. Updates often include security patches and vulnerability fixes. Consult the Metabase upgrade guide for instructions.
Secure Your Metabase Environment: For self-hosted deployments, ensure the underlying infrastructure (server, database) is secured with firewalls, network segmentation, and regular security audits.

Metabase Authentication: Methods, Setup & Security (2026)

Authentication overview

Supported authentication methods

Authentication methods comparison

Getting your credentials

Authenticated request example

Security best practices

Frequently asked questions

Reviews

Discussion

Written by