Dashboard-Assisted Mode

Dashboard-assisted mode provides a browser-based interface for configuring schemas, managing projects, and executing pipelines. This page describes the dashboard's role and its relationship to pipeline execution.

The dashboard does not execute data pipelines itself.

What the Dashboard Does

Configuration

The dashboard provides interfaces for:

Configuration	Location
Schema management	`/projects/[projectId]/schemas`
API key management	`/projects/[projectId]/keys`
Domain allowlisting	`/projects/[projectId]/domains`
Webhook configuration	`/projects/[projectId]/webhooks`
Sync target setup	`/projects/[projectId]/sync/targets`
Organization settings	`/org/*` routes

Configuration changes are persisted server-side and apply to all clients using the project.

Visualization

The dashboard displays:

Import history and metadata
Validation results and error summaries
Column profiles and data quality metrics
Audit logs (actions, not row content)

Orchestration

The dashboard coordinates:

Schema selection for imports
Column mapping configuration
Validation rule application
Export and sync initiation

Identity and Access Enforcement

The dashboard enforces:

Enforcement	Mechanism
User authentication	NextAuth with JWT strategy
Organization membership	`requireOrgAccess()` checks
Project access	`requireProjectAccess()` checks
Role-based permissions	RBAC definitions in `lib/rbac-definitions.ts`
Tier limits	Server-side enforcement in API routes

What the Dashboard Does Not Do

Does Not Execute Pipelines

Pipeline execution (parsing, validation, masking, transforms, profiling) occurs in the browser, not on dashboard servers. The dashboard:

Loads pipeline configuration
Provides UI for triggering execution
Displays results after execution

The dashboard servers never process row-level data.

Does Not Store Row Data

Row content is processed in the browser and exported or synced directly to user-configured targets. Dashboard servers store:

Import metadata (row counts, timestamps, status)
Validation summaries (error counts, not error content)
Column profiles (aggregates, not row values)

No evidence found that row-level data is persisted server-side.

Authentication Flow

Session-Based Authentication

User authenticates via OAuth (GitHub, Google) or magic link
NextAuth creates JWT with user ID, organization memberships, and roles
JWT is stored in session cookie
Subsequent requests validate session and extract context

Publishable Key Verification

For embedded React components:

Publishable key included in initialization
/api/license/verify validates the key and returns tier limits
Domain checked against project_domains table
Usage tracking, when enabled, posts to /api/track separately

Domain Validation

Publishable keys are domain-locked:

Requests from unregistered domains are rejected (no token issued)
Localhost is always allowed and does not count toward caps
First domain may be auto-registered if project has no domains and is within tier limits
Domain verification is cached client-side (5-minute TTL)

Embedded Components

React components can be embedded in customer applications:

import { RowOpsImporter } from '@rowops/importer';

<RowOpsImporter
  projectId="..."
  publishableKey="pk_..."
  schemaId="..."
  onComplete={handleComplete}
/>

Embedded components:

Execute pipelines in the customer's browser
Use publishable keys for authentication
Are subject to domain locking
Do not require dashboard access for end users

Role-Based Access Control

Roles

Roles are hierarchical: owner > admin > developer > viewer

Permissions

Permission	Roles
`delete_org`	owner
`manage_billing`	owner, admin
`manage_members`	owner, admin
`manage_apps`	owner, admin, developer
`manage_schemas`	owner, admin, developer
`run_engines`	owner, admin, developer
`manage_keys`	owner, admin, developer
`view_usage`	all
`view_audit`	all

Enforcement Points

API routes call requireMinimumRole() or requireSessionPermission()
Middleware validates session before route handlers
Client-side UI hides actions user cannot perform

Tier Enforcement

Tier limits are enforced server-side:

Check	Location
Row limits	License verification response
Project limits	Project creation API
Domain limits	Domain registration API
Feature access	License verification response

The dashboard displays tier information but does not enforce limits client-side only.

What This Mode Does Not Guarantee

Offline operation: Dashboard requires network access
Complete client isolation: Usage tracking persists metadata server-side
Identical behavior to headless: Some UI-specific features may not have headless equivalents

What the Dashboard Does​

Configuration​

Visualization​

Orchestration​

Identity and Access Enforcement​

What the Dashboard Does Not Do​

Does Not Execute Pipelines​

Does Not Store Row Data​

Authentication Flow​

Session-Based Authentication​

Publishable Key Verification​

Domain Validation​

Embedded Components​

Role-Based Access Control​

Roles​

Permissions​

Enforcement Points​

Tier Enforcement​

What This Mode Does Not Guarantee​