Spotfire 14.5 Web Player JavaScript API Reference

Spotfire JavaScript API

With the Spotfire® JavaScript API it is possible to embed Spotfire visualizations and dashboards into web pages. The API supports customized layout and enables integration with external web applications.

The JavaScript API can be used for a diverse set of scenarios:

  • Embed Spotfire visualizations into a corporate web site.
  • Open a Spotfire analysis from a link, and configure the data or the analysis depending on the user.
  • Integrate Spotfire analyses with other web applications.

The JavaScript API supports opening multiple views against the same analysis, where all views are automatically linked together. This gives a lot of flexibility when creating a mashup.

The key capabilities of the JavaScript API include:

  • Interact with pages: get all pages, get or set active page.
  • Get or set currently marked rows.
  • Get data from marked rows.
  • Get information about or set the values of a filter column.
  • Get metadata for all data tables.
  • Get distinct values of a given data column.
  • Get or set document properties.
  • Apply bookmarks.
  • Call a custom tool.
  • Export to PDF or PowerPoint or call a custom export tool.
  • Register event handlers for events related to pages, data, markings, document properties and more.

This tutorial describes the important concepts and capabilities of the JavaScript API.

Download the latest TypeScript declaration file (d.ts), Spotfire JavaScript API (14.5). Using this is optional, but simplifies the development as it can provide code completion and documentation inside your preferred IDE.

The API uses the OAuth 2.0 protocol for authentication and authorization, with the Spotfire Server itself as Authorization Server. Authentication and authorization can also be delegated to an external Authorization Server or similar through the use of Token Exchange.

The web mashup acts as an API client towards the Spotfire Server. Each request from the mashup will include an access token, which the web mashup client establishes through an OAuth2 Authorization Code flow or through an OAuth2 Token Exchange flow. When using the Authorization Code flow most of the process will be handled by the JavaScript OAuth client included in the Spotfire server (/spotfire/js-api/oauth.js).

To use the Spotfire JavaScript API an OAuth2 API client must first be registered on the Spotfire Server.

Registration on the Spotfire Server is done using the register-api-client command of the Spotfire Server command-line configuration tool. Example:

register-api-client --name="JavaScript API client" -Sapi.js-api -Soffline --client-profile=user_agent -Gauthorization_code -Grefresh_token -Ahttps://example.com -Rhttps://example.com/foo/return

The -A argument specifies the allowed origin, where the Web Mashup will be running. The -R argument specifies the redirect URI to which the browser is returned after the user has authenticated (the OAuth redirect page). It must be the same value as given to the new redirectUri setting (see below). The redirect URI must reside on the same origin as specified in the -A argument.

The required scopes (-S argument) are api.js-api and offline. The required grant type (-G argument) is authorization_code. It is recommended to specify refresh_token as well for a better user experience. The grant type token_exchange is also supported but requires requires the mashup to provide a subject token, and that the Spotfire Server is properly configured.

Running the command above gives an output like this:

Successfully registered a new API client with the display name 'JavaScript API client':
Client ID: 12f4a3c33d377ed5c7ab476d69ea52d1.oauth-clients.spotfire.com
No client secret issued (public client)
To view the full client configuration, please use the 'show-oauth2-client' command.
To get a list of all existing clients, please use the 'list-oauth2-clients' command.
To delete a registered client, please use the 'delete-oauth2-client' command.

After registration the client ID given in the output must be set in the clientId setting of the web mashup.

Some notes:

  • All Spotfire Server API clients are normally required to use https. This applies to JavaScript API clients as well. It is however possible to lift this requirement using the security.oauth2.client.redirect-uri-must-use-https configuration property.
  • If an API client has been registered as shown in the example then each user must give consent for the API client to access Spotfire visualizations and dashboards on their behalf, and embed these into web pages. The administrator registering the API client may specify that end-user consent is not needed for a particular API client by specifying --require-end-user-consent=false when registering the client.
  • The API allows for silent authentication (where an access token is automatically issued to the client). For this to work the user must be already authenticated (which requires the use of cookies, and may not work in all browsers), or it must be possible to authenticate the user without user interaction (an example of this would be Kerberos authentication). Set the silent setting of the Web Mashup to true to attempt silent authentication.
  • The API client must provide an access token even when the analysis is available to anonymous users. The API is now explicit about the use of anonymous authentication. Set the anonymous setting of the Web Mashup to true to request such a token.

The user is authenticated when calling the spotfire.webPlayer.authenticate function. Depending on the settings this may be silent (by specifying silent or including a subjectToken) or initiate an OAuth authorization code flow.

The options in the authentication settings objects can be found here.

Once the authenticate method resolves, the mashup code should continue by calling the connect method. This performs several steps.

  • Download the rest of the API
  • Verify the existence of the analysis
  • Return an instance of the Spotfire Application, the entry point for the API.

The options in the connect settings objects can be found here.

The openDocument method open the analysis in the specified HTML element, and return a document instance. This object contains most methods to control the behavior of the web mashup. Note that it is valid to call the openDocument method multiple times. Each opened document shares the application instance, and marking carries over between all instances. If you on the other hand want to open separate instances of a single (or different) Spotfire analyses, this can be achieved by calling connect multiple times.

Below is a basic example showing the required steps to open a Spotfire analysis using the JavaScript API, using the methods described above.

<html>
<head>
<script src="https://my.spotfire.com/spotfire/js-api/oauth.js"></script>
<script>
document.addEventListener('DOMContentLoaded' loadMashup);
function loadMashup() {
const server = "https://my.spotfire.com";
const clientId = "registered_client_id";
const redirectUri = "https://client.website.com/oauthEnd.html";
const path = "/user/my analysis";

/** Declare the version of the API */
spotfire.webPlayer.setApiVersion("14.5");

/** Authenticate the user */
const authSettings = { clientId, server, redirectUri };
spotfire.webPlayer.authenticate(authSettings).then(connect).then(open).catch(onError);

/** Connect to a specified analysis using the authentication token */
function connect(token) {
const connectSettings = { token, path };
return spotfire.webPlayer.connect(connectSettings);
}

/** Open the start page */
function open(application) {
application.openDocument("SpotfireContent");
}

function onError(err) {
console.error("Spotfire JavaScript API Error:", err.category, err.code, err.message);
}
}
</script>
</head>
<body>
<div id="SpotfireContent" />
</body>
</html>

The redirect page declared in the API client registration must be hosted on the same domain as the web mashup itself. If a customer has multiple web mashups it is sufficient to server all these with a single API client and a single redirect page. The redirect page only needs to call spotfire.webPlayer.oauthEnd().

<!DOCTYPE html>
<html>
<head>
<title>Generic OAuth Endpoint</title>
<script src="https://my.spotfire.com/spotfire/js-api/oauth.js"></script>
<script>
/** Processes the oauth result and redirects back. */
spotfire.webPlayer.oauthEnd();
</script>
</head>
</html>

The use of the Token Exchange grant enables users to be signed in using an access token from an external authorization server (or other trusted party) without having to authenticate again. This can be useful when, for example, embedding Spotfire into a portal that already authenticates users.

To use this grant, the mashup has to establish a subject token (adhering to the requirements described below). The subject token may either be created by the mashup itself (or rather a backend supporting it) or by an external authorization server. The subject token is then passed to the JavaScript API through the subjectToken parameter and is exchanged for an access token issued by the Spotfire Server. The Token Exchange grant must be explicitly enabled by configuring the Spotfire Server to trust tokens issued by the external authorization server.

In some cases it may be possible to use the silent authentication mechanism to achieve single sign on, as mentionened above. This is not possible in a vanilla setup of Spotfire as it requieres the existence of an authentication mechanism that does not require user interaction.

When registering the API client -Gtoken_exchange must be specified (together with -Grefresh_token -Gauthorization_code).

Configuration is done using the config-rfc-9068-token-exchange-authenticator command. The most basic configuration only requires setting the URI to the OAuth 2.0 Authorization Server Metadata document of the external Authorization Server. The metadata document MUST contain an issuer and a jwks_uri (with the keys needed to verify subject token signatures).

If no Metadata document is available, it is possible to instead configure an expected issuer (a string) and either a static JWKS or a JWKS URI with the key(s) needed to verify subject token signatures.

See the help for the config-rfc-9068-token-exchange-authenticator command for more configuration options.

The subject token issued by the mashup backend or an external authorization server must meet the requirements below.

  • Must adhere to the requirements of RFC 9068 (JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens).
  • The aud claim must include the Spotfire Server Token Endpoint URI (http[s]://<hostname>[:<port>]/spotfire/oauth2/token).
  • The token should contain a may_act claim.
  • If the token contains a may_act claim then the value of the client_id sub-claim must be the client ID of the client using the token.
  • The token should contain a scope claim.
  • If the token contains a scope claim then the value must include the api.js-api and offline scopes.

Below is an example of a token that meets all mandatory and optional requirements described above.

eyJraWQiOiI4YzE1YmMwMS0zZGY4LTQ0MmUtYTY2MS1iNTg5YTJjZWU5ODAiLCJ0eXAiOiJhdCtqd3QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJqb2huZG9lIiwiYXVkIjoiaHR0cHM6Ly9zcG90ZmlyZS5leGFtcGxlLmNvbS9zcG90ZmlyZS9vYXV0aDIvdG9rZW4iLCJzY29wZSI6ImFwaS5qcy1hcGkgb2ZmbGluZSIsImlzcyI6Imh0dHBzOi8vYXMuZXhhbXBsZS5jb20iLCJtYXlfYWN0Ijp7ImNsaWVudF9pZCI6IjEyZjRhM2MzM2QzNzdlZDVjN2FiNDc2ZDY5ZWE1MmQxLm9hdXRoLWNsaWVudHMuc3BvdGZpcmUuY29tIn0sImV4cCI6MTczMTM0NTA2MywiaWF0IjoxNzMxMzM3ODYzLCJjbGllbnRfaWQiOiJyN3huaXBwMDJwIiwianRpIjoiZmMxOGVhYTEtMDIxNi00ZGI0LTgxODctODZmNjA5YzVkZDVkIn0.gCCXGRaEUH2YWuz9ivIML_sRL1E7zpXSBvgfuEDUEq9J6cKJVklw-A4QxjWLEhWRQnDHFrbL0puNPjFAGxqJpMVGJ3CwQ7MFUi7UiiI2lwMwWhcZjmoerVzk3G4OC_r0PVMhdV6wXfSs50Ka15sWIjGcnicx42i0h4wSqE0XAddDiIJ1wiAhFsUsBXzb8ZYqorAD3FwM5nAdY1OF8vdWaZVXqT4xAUL95sFy2Ididb5C5PltlJcszhN93UB0-Ukm7eIs2HrNj9HXWXMJ8VS_PdHRIShUPszyqADNMGByAg67YgtBL_w8ccv603pCeXkzCAlqN5Tx1rQxGo70J5dRGw

The payload of the token above is shown below.

{
"sub": "johndoe",
"aud": "https://spotfire.example.com/spotfire/oauth2/token",
"scope": "api.js-api offline",
"iss": "https://as.example.com",
"may_act": {
"client_id": "12f4a3c33d377ed5c7ab476d69ea52d1.oauth-clients.spotfire.com"
},
"exp": 1731345063,
"iat": 1731337863,
"client_id": "r7xnipp02p",
"jti": "fc18eaa1-0216-4db4-8187-86f609c5dd5d"
}

The initialization of a web mashup is usually the most error prone phase that may be difficult to debug. The initialization methods authenticate and connect can result in errors for different reasons. All errors are categorized and contain, in addition to a semi user friendly error message, also a code and a category to guide the developer of the mashup.

This category signals that the developer most likely has used the API in an incorrect way. The possible codes and messages are:

  • INVALID_SERVER: "Invalid server URL '{0}'.",
  • INVALID_REDIRECT_URL: "Invalid domain. The redirect URL ('{0}') must match the domain of the current page ('{1}').",
  • NON_SILENT_ANONYMOUS_FLOW: "Anonymous authentication must use silent mode.",
  • INVALID_TOKEN: "Invalid authorization token.",
  • MISSING_TOKEN: "Missing authorization token.",
  • INVALID_PATH: "Invalid analysis path '{0}'.",
  • INVALID_API_VERSION: "Invalid API version '{0}'.",
  • SET_API_VERSION: "API version must be set once."

This category is used for errors that can occur during the authorization flow. These can be either configuration errors or merely an expected error if the end user, for example, does not consent to allow access to Spotfire.

  • ACCESS_DENIED: "The user or authorization server denied access to Spotfire.",
  • INVALID_REQUEST: "The request is missing a parameter, contains an invalid parameter, includes a parameter more than once, or is otherwise invalid.",
  • INVALID_SCOPE: "The requested scope is invalid or unknown.",
  • SERVER_ERROR: "Server error.",
  • TEMPORARILY_UNAVAILABLE: "The authorization server is temporarily unavailable.",
  • UNAUTHORIZED_CLIENT: "The client is not allowed to request an authorization code.",
  • UNSUPPORTED_RESPONSE_TYPE: "The server does not support obtaining an authorization code."

These errors indicate that the configuration of the server is incorrect.

  • ENDPOINT: "Failed to get OAuth endpoint.",
  • HASH_ALGORITHM: "Hashing algorithm {0} is not configured on server {1}.",
  • SCOPE: "Scope {0} is not configured on server {1}.",
  • RESPONSE_TYPE: "OAuth response type {0} is not configured on server {1}."

These errors might be temporary, due to network errors, or the user trying to manipulate the code.

  • FAILED_TO_REFRESH_TOKEN: "Failed to refresh OAuth token. Reason: '{0}'.",
  • INVALID_STATE: "Invalid OAuth state.",
  • FAILED_TO_LOAD_API: "Failed to load the Spotfire JavaScript API version. Reason unknown.",

Note that specifying an older API version does not change the running Spotfire version, nor does it change any Spotfire functionality. It does however limit the available JavaScript API in runtime, ensuring that the web mashup will function when connecting to an older Spotfire system.

MMNEPVFCICPMFPCPTTAAATR