Live Embed authentication

Understand board access rights and granting users permissions to view Miro Live Embed boards.

Board access rights

Embedding a Miro board via a direct link requires the same access rights as the board that you're embedding:

  • If a user can access a Miro board by opening it in their web browser, they can also access the corresponding embedded version.
  • If a user doesn't have the required permissions to access a board, they're also unable to view the corresponding embedded version.
  • If a user's web browser is configured to block third-party cookies, they need to sign in each time they want to access the board.

An embedded Miro board showing the *Access denied* notification.An embedded Miro board showing the *Access denied* notification.

Specific board access rights per user

To grant users additional permissions to access an embedded board, you can set BoardsPicker action to access-link.

This enables granting ad-hoc permissions to access a board that are enforced when the board is embedded.
For example, users who normally have read-only access to a board can be granted edit rights in the embedded version of the board.
For more information, see the documentation about the BoardsPicker component.

User access to embedded boards

When working with embedded Miro boards, it is important that users work with their own authentication. This ensures that access and content management remain consistent, and it avoids creating permissions gaps.

Currently, there is no API for developers to authenticate users in a Live Embed board. Instead, Miro handles the authentication via third-party cookies, and the embedded board reflects the access level of the Miro board.
For example, if a user has read-only access to a Miro board, then they have read-only access also to the embedded board.

Prompt for user authentication

A user can be prompted to sign in to Miro in the following cases:

In both cases, the Miro sign-in page is opened. The page can be opened in a new tab, in a new browser window, or in a pop-up. The Miro sign-in page cannot be opened in an iframe, as a security precaution.

After the user authentication via the Miro interface is completed, the user is redirected back to the previous window.

POST message authentication

The Miro authentication mechanism uses a POST message to share the authentication cookie directly with the iframe.
To succeed, POST messages must be enabled in the application where the embedded board iframe exists (for example, in an Electron app).

To force POST message authentication, add the usePostAuth=true URL parameter to the board embed URL.

See also