cors-api
Looker CORS API OAuth Pattern (Direct Browser Auth)
This skill describes the Direct Browser OAuth pattern for Looker. It allows frontend applications to authenticate users directly against a Looker instance and make secure API calls via CORS without requiring a custom backend proxy.
1. The Core Pattern
The pattern leverages Looker's built-in OAuth2 support with PKCE (Proof Key for Code Exchange) to safely perform the authentication flow entirely in the browser.
Architectural Components
- Browser Application: The frontend app that performs the OAuth flow and makes direct
fetchcalls to the Looker API. - Looker Auth Server: Handles user login, consent, and issues access tokens.
- Looker API: Serves data directly to the browser via CORS.
2. The OAuth2 + PKCE Flow
Because a browser application is a "public client" and cannot store secrets, PKCE is used to secure the authorization code exchange.
- Code Challenge Generation: The app generates a cryptographically random
code_verifierand its SHA-256 hash, thecode_challenge. - Redirect to Looker: The app redirects the user to Looker's
/authendpoint with parameters:
More from lkrdev/looker-embed-skills
ca-adk-streaming
This skill enables agents to assist users in building streaming, data-driven agentic applications using the Looker Conversational Analytics (CA) API and Google ADK. Use this when you need to orchestrate multi-step data workflows with real-time feedback and conditional post-processing (e.g., visualization, analysis).
2sso-embed
This skill allows agents to assist users in setting up, implementing, and troubleshooting Looker SSO (signed) and Cookieless embedding using the Looker Embed SDK.
2embed-themes
This skill enables agents to assist users in programmatically creating, updating, and managing Looker themes using the Looker API. Use this when you need to automate visual styling, implement brand-specific themes, or manage instance-wide default themes.
2cors-api-proxy
Architectural pattern for performing direct browser-to-Looker API calls via CORS by using an application backend to delegate scoped authentication tokens.
2visualization-components
This skill enables agents to assist users in building custom, high-performance data experiences using Looker's React-based visualization components.
2embed-javascript-events-api
This skill enables agents to assist users in implementing and troubleshooting interactive communication between a host application and an embedded Looker iframe using JavaScript events.
2