Integrate CARTO in your existing application
Learn how to securely embed CARTO into your existing architecture providing fine-grained data access
Last updated
Was this helpful?
Learn how to securely embed CARTO into your existing architecture providing fine-grained data access
Last updated
Was this helpful?
When you build a solution from scratch using CARTO you can choose between the three different to secure your application. However, in many other cases the starting point is an existing application with its own login system where you want to add a geospatial component, such as a map visualization.
In this guide you will learn how to integrate CARTO with an existing application that has its own login system, implementing the machine-to-machine authentication in order to provide fine-grained data access to the end users.
In this guide, the ACME company has decided to add maps to their existing application and CARTO will be the platform used for it. They have two important requirements:
ACME wants to keep its own login system.
The maps will show different data based on the user, in this case, based on the user's group.
With this in mind, we are going to develop a backend endpoint in order to generate a CARTO with only access to the data the user has permission for in our application, the frontend application will use that token to interact with the rest of the CARTO APIs.
The data used for this guide will be the table retail_stores contains all the retails in the US, It's available at carto-demo-data.demo_tables.retail_stores.
In our demo application we will have two users:
The user in the group of BOSTON will only see the stores in the city of Boston, the user in group NEW YORK will be limited to New York.
Now, the next step is to uncomment the following line in the file (it specifies an output folder for all emitted files):
As an optional step, you would like to add to have extra help to develop by restarting your application automatically when there are changes in your code. To do that, install the following dependencies:
And add the following content to the file package.json:
Now, just typing npm run dev the server will run up and you can see the changes in the code immediately.
Once the application is created, you will have to get the Client ID and the Client Secret
Now, we have to create a couple of endpoints: a basic login endpoint to authenticate the user and an endpoint to generate the CARTO token.
For the login endpoint, the responsibilities will be:
Check the login and password.
Get the group of the user and create a JWT token.
While the endpoint to get the CARTO token will do:
Validate the JWT in the Authentication header.
Replace the file index.ts with the following content:
Create a .env file located in the root of the backend with the following content:
The most important function involved in the endpoint is the one called getAPIAccessTokenForGroup that owns the logic to interact with CARTO in order to get a valid token for the frontend side. Let's see what its implementation looks like:
That means, that once the token is created, the client using this token only will have permission to execute the defined query and get only the data declared in the grants.
Finally, once the code for the backend is ready you can run the server just by typing in your terminal:
At this point, our backend is ready to generate tokens for our users. In the following code you can see an example of a frontend application that does:
Login.
Use the token to call CARTO APIs.
To run this, first, you need to clone the project:
Edit the .env file at set the VITE_API_BASE_URL:
Run:
Since this guide needs a backend and a frontend application, the first thing we have to do is create the structure to store the code for these components. Let's start with the backend side and install the needed dependencies to work with :
We are going to use on both the backend and frontend sides, so we need to install the required dependencies:
In order to use the CARTO APIs you need to authenticate your requests. For a backend-side application, the recommended approach is to do so by creating a Machine to Machine OAuth Client (). To create this OAuth Client, you need to go to -> Developers -> Credentials -> Create New -> M2M OAuth Client
Extract the group and create the token via .
The function will take one parameter indicating the group in order to create the right token. The first thing to do is to get the environment variables to interact with the CARTO API. The next step is to obtain an to deal with the rest of the APIs. To get this first token you can see in the line 7 to 13 how to use the Client ID and the Client Secret to make the request and get this token. Once, you have a valid OAuth Access Token, the last step is to create an for the specific grants. In this case, the grants include the permission to execute a specific SQL query to get all the retail for a specific city.
If your application requires dynamic queries, you can use in and API.
Call the previous endpoint to get an with the permissions limited to the user.
All the code for this guide is available on .
We recommend you to visit Visualization with deck.gl to learn more about the different visualizations you can create using deck.gl. There are many examples in our that might be useful to improve your application!
