> ## Documentation Index
> Fetch the complete documentation index at: https://docs.cube.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Exchange a session for an embed token

Exchanges a one-time embed session id (created via `POST /api/v1/embed/generate-session`) for a signed, short-lived embed JWT used to authenticate the embedded analytics in the browser.

The session is **single-use**: it is consumed (deleted) on the first successful exchange, so a given `sessionId` can be redeemed only once. The returned token is signed with the tenant's embed secret, issued by `cubecloud`, and expires after 24 hours.

This endpoint is unauthenticated — it is called from the embedding client and the session id itself is the credential. Returns `401` if the session id is unknown or has already been redeemed.


## OpenAPI

````yaml /api-reference/api.yaml post /v1/embed/session/token
openapi: 3.1.0
info:
  title: Cube Cloud REST API
  version: 1.0.0
  description: >-
    Programmatically manage Cube Cloud: deployments and everything scoped to
    them

    (environments, folders, reports, workbooks, notifications, workspace, and
    agents),

    plus account-level users, groups, policies, embedding, and AI settings.
servers:
  - url: https://{tenant}.cubecloud.dev/api
    description: >-
      Cube Cloud API base URL. Replace the whole host if you use a custom
      domain.
    variables:
      tenant:
        default: your-tenant
        description: Your Cube Cloud tenant subdomain
security:
  - bearerAuth: []
tags:
  - name: Deployments
  - name: Environments
  - name: Folders
  - name: Reports
  - name: Workbooks
  - name: Notifications
  - name: Workspace
  - name: Embed
  - name: Embed Tenants
paths:
  /v1/embed/session/token:
    post:
      tags:
        - Embed
      summary: Exchange a session for an embed token
      operationId: postTokenBySessionId
      requestBody:
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/PostTokenBySessionIdInput'
        description: PostTokenBySessionIdInputDTO
        required: false
      responses:
        '200':
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/GenerateEmbedTokenResponse'
          description: ''
components:
  schemas:
    PostTokenBySessionIdInput:
      properties:
        sessionId:
          type: string
      required:
        - sessionId
      type: object
    GenerateEmbedTokenResponse:
      properties:
        token:
          type: string
      required:
        - token
      type: object
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer
      description: 'Token authentication. Send `Authorization: Bearer <YOUR_TOKEN>`.'

````