How to Impersonate an Embed User via the URL Builder

When debugging an embed user’s experience, the most reliable approach is to log in as the user using your external application. A secondary approach is regenerating their session via the Embed URL Builder.

Impersonate/View As reflect whatever was persisted the last time that user logged in — if their access has changed since then, or you’re testing a scenario that hasn’t happened yet, impersonation can show stale results. Building the embed URL directly forces a fresh login and guarantees you’re seeing current, live access.


Important Before You Start

Each embed URL load is a full replacement — not a patch. Every time an externalId loads, all their userAttributes, connectionRoles, etc. get overwritten. Using the real user’s ID risks corrupting their session state if you are running tests.

To simulate their embed session without impacting their user profile, Don’t use the real user’s externalId. Use a clearly marked test one instead — something like debug-admin or test-<your-name>.

Also: use a private/incognito window. Embed sessions run on browser cookies. Loading an impersonation session in a regular window can conflict with your existing Omni session. Incognito gives you a clean, isolated context every time.


Step 1 — Find the User’s Embed URL

You need the actual Omni embed session URL that your backend generates for this user — not their browser URL.

Two URLs, easy to mix up:

  • Your app’s URL — e.g. https://app.yourproduct.com/analytics — this is your own frontend. Not what you want.
  • The Omni embed URL — this is what your backend signs and injects into the iframe src. It looks like:
    • https://<your-org>.embed-omniapp.co/embed/login?...
    • Or your custom vanity domain: https://analytics.yourproduct.com/embed/login?...

Check your backend embed URL generation code or server logs to find this. It’s the signed URL with all the parameters in the query string.

You can also find recent embed users in Settings > Users > Embed, which shows each user’s externalId and last login — helpful for confirming which user you’re looking at.


Step 2 — Copy Their Parameters

From the URL, pull out all the parameters. You’re looking for parameters like:

Parameter What it controls
contentPath The dashboard or page they were viewing
externalId Their unique ID (swap in your test one)
name Display name
email Optional, but include if they receive scheduled deliveries
userAttributes Their user attribute values as a JSON object
connectionRoles Their access level per connection — always include this, omitting it can cause unexpected access changes

Step 3 — Build the URL

Go to Settings > Embed > URL Builder. Paste in everything from Step 2, substituting your test externalId. The builder generates the nonce and signature for you. Hit generate.


Step 4 — Load in Incognito

Open the URL in a private/incognito window. This ensures a clean session with no cookie interference from your own account.

You’re now viewing Omni exactly as that embed user would — same attributes, same connection roles, same content path.


Tab Hygiene

Close your incognito window when you’re done. Opening a new session doesn’t invalidate old tabs. If you’re debugging multiple users, use a fresh incognito window for each one to avoid accidentally viewing the wrong user’s data.

1 Like