## Looker integration Looker is Google Cloud's enterprise business intelligence platform for exploring data, building dashboards, and embedding analytics. Integrating Looker with Frontegg lets your application work with dashboards, Looks, queries, folders, and users through the Looker API 4.0. The integration authenticates with **Looker API3 credentials** — a Client ID and Client Secret pair generated for a Looker user. Frontegg exchanges them for a short-lived access token at your instance's `/api/4.0/login` endpoint, so there is no browser redirect or consent screen. API access is governed by the **role of the user** the credentials belong to, not by OAuth scopes — so bind the credentials to a minimal-privilege account. Prerequisites - A hosted **Looker** instance (`https://.cloud.looker.com`) - **Admin access** to the Looker instance, or an administrator who can generate API3 keys on your behalf - API credential management enabled for the user on the **Admin → Users** page ### Connect Looker #### Step 1: Identify your Looker instance name Frontegg needs the subdomain of your hosted Looker instance to build the API base URL. Sign in to Looker and look at your browser address bar: ``` https://mycompany.cloud.looker.com ``` | Value | Where it comes from | Example | | --- | --- | --- | | **Looker instance name** | The subdomain before `.cloud.looker.com` | `mycompany` | Instance name format Enter only the subdomain — for example, `mycompany`. Do not include `https://`, the `.cloud.looker.com` domain, the port, or a trailing slash. #### Step 2: Create a service-account user Google recommends not binding API credentials to a Looker admin account. In the Looker **Admin** panel, open **Users**, click **Add Users**, and create a dedicated user (for example, `frontegg-service`) with the minimum role required for the data your application needs. Access follows the user's role Looker has no per-integration OAuth scopes. The connector can perform any action the user behind the API key is allowed to perform. Assigning a least-privilege role to a dedicated service account keeps the integration's access scoped to exactly what it needs. You can skip this step and use an existing account, but a dedicated service account is the recommended approach. #### Step 3: Generate API3 credentials In the Looker **Admin** panel, open **Users**, find the user from Step 2 (or your own account), and click **Edit**. Scroll to the **API Keys** section and click **Edit Keys**, then **New API Key**. Looker generates an **API3 key** — a **Client ID** and **Client Secret** pair — for that user. #### Step 4: Copy your Client ID and Client Secret Copy both the **Client ID** and the **Client Secret** from the API Keys section. Copy the secret immediately The **Client Secret** is shown in full only when the key is created. If you lose it, you must delete the key and generate a new one. ### Configure the Frontegg portal Once you have collected the values from the steps above, enter them in the integration configuration page of the Frontegg portal: 1. Open the **Frontegg portal** and navigate to [ENVIRONMENT] → Integrations → Looker. 2. Fill in the **Connector credentials** form: - **Client ID** — the API3 Client ID from Step 3 - **Client Secret** — the API3 Client Secret from Step 3 - **Looker instance name** — the subdomain from Step 1 (for example, `mycompany`), without `https://`, the domain, the port, or a trailing slash 3. Click **Save**. Keep your credentials secure The Client Secret grants API access on behalf of the Looker user it belongs to. Never share or commit it to version control. Delete API keys you no longer use from **Admin → Users → Edit → API Keys**. ### Additional resources - [Looker API authentication](https://cloud.google.com/looker/docs/api-auth) - [Looker Admin settings — Users](https://cloud.google.com/looker/docs/admin-panel-users-users) - [Looker API 4.0 reference](https://cloud.google.com/looker/docs/reference/looker-api/latest)