If you need to obfuscate the parameters in the URL, you can sign the parameter __token in the URL of your view as a JWT token. This parameter has to be signed with your LATITUDE_MASTER_KEY that you will find in the .env file in the root of your latitude project.

If you don’t see a .env file in your project you can run:

latitude credentials add > .env

This command will create LATITUDE_MASTER_KEY in an .env file


A note on security

It is crucial to add your .env file to your .gitignore before deploying to prevent exposure of your LATITUDE_MASTER_KEY.

Ensure that you generate a unique LATITUDE_MASTER_KEY for the production environment.
If you’re using Latitude Cloud, you can store the master key with latitude secrets add LATITUDE_MASTER_KEY=<key_generated_by_previous_command>.


Imagine you want to obfuscate the parameter workspace_id to be used in your query like this:

SELECT * FROM table WHERE workspace_id = {param('workspace_id')}

Normally you would have a URL like this:


But this way anyone can see the name of this secret workspace_id parameter and try to send a different value. To avoid this you can sign the parameter workspace_id with the LATITUDE_MASTER_KEY like this:

This example is using our own JS implementation of JWT but you can easily do this in your server side language.

import { signJwt } from '@latitude-data/jwt'
const masterKey = process.env['LATITUDE_MASTER_KEY']
const signedParams = { workspace_id: 123 }
const token = await signJwt({ secretKey: masterKey, payload: signedParams  })

// Now this token will look something like this
// console.log(token) -> eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ3b3Jrc3BhY2VfaWQiOjEyM30.1JZ

Now you can use this token in your URL like this