Skip to main content
This guide provides an overview of implementing secure tenant dashboard management using HMAC signature authentication for enterprise-grade multi-tenant security.

Architecture Overview

Your API (Tenant Management)

HMAC Signed Request → Papermap Dashboard API

Dashboard Created/Retrieved

Generate Iframe Token (HMAC Signed)

Frontend Embeds Dashboard

Key Components

  1. TenantDashboard Model - Maps tenants to Papermap dashboards
  2. HMAC Signature Service - Securely authenticates API requests
  3. Dashboard Handler - Creates dashboards and generates embed tokens
  4. Dashboard Router - API endpoints for dashboard operations

Quick Start

Follow these guides in order to implement the backend:
1

Set Up Authentication

Implement HMAC signature authentication to securely communicate with the Papermap API.

HMAC Authentication

Learn how to implement HMAC-SHA256 signature authentication
2

Create Dashboards

Set up the ability to create and manage dashboards for your tenants.

Creating Dashboards

Learn how to create dashboards via the Papermap API
3

Generate Embed Tokens

Generate secure tokens to embed dashboards in your frontend.

Iframe Embed Tokens

Learn how to generate secure embed tokens
4

Build API Endpoints

Create REST API endpoints for your frontend to interact with.

API Endpoints

Example REST API endpoints for dashboard operations
5

Secure Your Implementation

Follow security best practices for production deployment.

Security Best Practices

Learn about security considerations and best practices

Database Model

First, create a model to link your tenants to their Papermap dashboards:
It is not required to save it this way, but you need to have a way to map your tenant to their dashboards.
from sqlalchemy import  Column, String

from .database import Base
class TenantDashboard(BaseModel):
    __tablename__ = 'tenant_dashboards'

    tenant_id = Column(String(255), nullable=False, index=True)
    workspace_id = Column(String(255), nullable=False)
    dashboard_id = Column(String(255), nullable=False)
Purpose: Links your tenant to a Papermap dashboard ID for secure access and isolation.

Prerequisites

Before implementing, ensure you have:
  • Papermap API credentials (API Key ID and Secret Key)
  • Your workspace ID
  • API endpoint URL (obtain from your Papermap dashboard settings)
Security Best Practices: - Never hardcode API endpoints, keys, or secrets in your code - Always use environment variables or a secrets management system
  • The API endpoint URL should be treated as sensitive configuration - Store credentials securely and rotate them regularly

Environment Configuration

Store your credentials securely in environment variables:
.env
PAPERMAP_API_KEY_ID=your-api-key-id
PAPERMAP_SECRET_KEY=your-secret-key-never-share
PAPERMAP_API_URL=<your-api-endpoint>
Obtaining Your Configuration: - API Credentials: Available in your Papermap dashboard under Settings → API Keys - API Endpoint: Available in Settings → API Configuration - Always use the values provided in your dashboard for your specific workspace

Implementation Guides

Common Pattern Reference

The HMAC signature pattern for tenant dashboards follows this flow:
1. Create Payload
   payload = workspace_id + valid_until

2. Generate Signature
   signature = HMAC-SHA256(payload, secret_key)

3. Send Request with Headers
   X-API-Key-ID: <api_key>
   X-Workspace-ID: <workspace_id>
   X-Valid-Until: <timestamp>
   X-Signature: <signature>

4. Store Result
   tenant_id → dashboard_id mapping

5. Generate Embed Token
   Encode {tenant_id, dashboard_id, signature, expires} as base64
This pattern ensures secure, time-limited access to tenant-specific dashboards.

Next Steps

Frontend Setup

Learn how to embed dashboards in your frontend application