Working with Embedded Matomo Widgets

BACKGROUND: I recently loaded a Matomo widget from my 3rd party webserver to my local test server, and to my great surprise it worked. Reading the widget guide suggested, however,
that this is not possible without special user authorization.

QUESTION: Is it correct to assume that anyone can see the contents of a widget embedded on a webpage? If not, what must I do to make it possible?



If view access to your website is enabled to anonymous users, everyone can see a widget. Otherwise you’ll need to add the access_token parameter.

But keep in mind that everyone with the access_token has full access to the corresponding user account.

The MANUAL: “Users with the ‘view’ permission can view all reports in Matomo (Piwik) for the website(s) the user is set to ‘view’.”

A POSSIBLE CONSEQUENCE?: This suggests that once a widget is made visible on a website to anonymous visitors, anyone who understands page source can discover the location of the piwik.php file, and anyone who understands both page source and Matomo has full access to all the data available for a website via a Matomo widget. One has only to write the appropriate query string and voilá: the widget appears! Is this an accurate assessment?

MY DESIRE: What I would like to achieve is the following: Display a select number of widgets for anonymous visitors without giving access to my entire Matomo database to those visitors knowledgeable about the creation and use of Matomo widgets.

QUESTION: Is my desire even possible without having to write an AJAX call?



Your interpretation is correct and there is currently no way to limit which widgets a token can access.

There is a github issue about implementing this, but I can’t find it at the moment.

More info:

1 Like

I was not thinking about using a token for specific users; rather, making VIEW available to anonymous users and then limiting their access to specific widgets. I can see, however, how this problem would apply to users both with a token and without.

OK. So, for the moment it is AJAX! Not a big deal, mind you, just a little more coding for users, a possible new project for Matomo.


any development on this. what can be done so that visitors can only see what is embedded on the web page rather than having access to the dashboard. thanks

I gave up on Matomo accommodating this notion and created my own widgets using a combination of JavaScript libraries, PHP requests to Marino’s APIs, and AJAX.

hmm, I dont think this happened with piwik. I just accidentally deleted the old directory so had to install this all again and saw this issue. Do you think password protecting the matomo folder would help or it will clash with the matomo script too

just tried it doesn’t work. But I wonder if the matomo folder is password protected and the password is provided to the matomo script for its bots then it might work.