Embedded Analytics Developer Guide

Version 0.4.4 | Last Updated: July 2026

This is the starting point for building against QuantumLayers as a third-party developer. It explains what QL exposes, where its client-side libraries live, how requests are authenticated, and the two ways to reach QL’s facilities — raw API calls or the bundled JavaScript Development Kit (JDK). If you already know which path you want, jump to Embedded Analytics Developer Guide (API) for the full endpoint reference or Embedded Analytics Developer Guide (JDK) for the full class/function reference.


Table of Contents


Overview

QuantumLayers is a standalone analytics platform built around a few core facilities, all of which are reachable from outside the QL server:

  • Datasets — CSV upload, database/API connections, Google Sheets and SFTP sources, dataset merging/joins, and per-column statistics computed at ingestion time.
  • Charting — a library of Chart.js-compatible chart generators (bar, line, pie, scatter, box plot, heatmap, regression, and more) driven purely by POST parameters, plus an auto-recommendation engine that ranks the most informative charts for a given dataset.
  • Statistical analysis — summary statistics, correlation, PCA, and distribution analysis, backed by the Python scripts in python/.
  • AI insights & agent — rule-based and Claude-powered dataset insights, plus a multi-turn conversational agent that can query and chart a dataset on request.
  • Scheduled reports, organizations/teams, and billing — recurring report delivery, multi-seat org management, and subscription plans that gate the above features.

Every one of these facilities is exposed the same way: a WordPress AJAX endpoint (an action name) secured with Bearer token authentication. There is no separate REST API and no GraphQL layer — action names are the entire surface area.

Where the JavaScript lives

Every client-side QL module is published as a standalone file under https://quantumlayers.com/jdk/ and can be pulled into any page with a plain <script> tag — no build step, bundler, or npm package required:

auth.js has no dependency on any other QL module, but every other module depends on it (they all call QLAuth.getSessionToken() to build their Authorization header), so it must always be the first QL script loaded on the page, after jQuery. See the JDK guide for the full function/class reference of each module.

How AJAX/API endpoints are invoked

There is a single URL for every endpoint. You select the operation via the action POST field, and authenticate via the Authorization header (see Authentication below):

Every endpoint responds with the standard WordPress AJAX envelope — { "success": true, "data": {...} } on success, or { "success": false, "data": { "message": "..." } } on failure. Public endpoints (callable by unauthenticated third parties, e.g. viewing a public dataset’s chart) skip nonce checks entirely and rely only on ql_try_auth()/ql_verify_auth() for the Bearer token; endpoints called from within a browser session on the QL site itself additionally expect a nonce field, which is only meaningful for same-origin requests and is not required for cross-origin/API use.


Prerequisites

You need access to a valid QuantumLayers account. The third-party page does not need to sit on the QL server itself — it only needs network access to the QL server.

QL JavaScript Libraries

The following file can be accessed directly from the QL host and can be loaded with a <script> tag:

  • jdk/auth.js — exposes the QLAuth object: token storage, and sign-in helpers.

If you’re only calling endpoints directly (no JDK modules), auth.js is optional — see Authentication for how to obtain a Bearer token without it.


Chart.js Setup

QuantumLayers uses Chart.js 4.4.0 and three plugins. Load all four CDN scripts before your own code if you intend to render the chart configs returned by the analytics endpoints:

The box-plot, date-adapter, and matrix plugins are only needed if you render box_plot/violin, time-based, or heatmap charts respectively — see Analytics & Charting Endpoints for the full chart type reference.


Authentication

Every AJAX request must carry a Bearer token in the Authorization header. Three approaches are available, described below with full code examples. For the raw endpoint invocation (params only, no explanation), see the condensed Authentication endpoints section of the API guide.

Option A — QL Session Token (Same-Origin)

After the user signs in through QL, their token is in localStorage under the key ql_session_token. Read it with QLAuth.getSessionToken():

This option only works for pages served from the same browser context where the user has already logged into QL — it relies on that browser’s localStorage already holding a valid token. It’s the simplest option when you’re embedding QL on a page that lives under quantumlayers.com itself, or when you fully control a flow that lands the user on a QL login page first.

Option B — Third-Party Provider Registration (Shadow Users)

For cross-origin embeds, the QL operator registers your application in the ql_auth_providers table with three fields:

  • id — unique slug (e.g. "acme-corp"); becomes the kid in the JWT header.
  • name — human-readable label.
  • jwt_secret — shared HMAC-SHA256 secret (HS256).

Your backend mints a signed HS256 JWT with the following structure, then POSTs it to ql_third_party_signin. sub and email are required; first_name and last_name are optional but kept in sync on every login.

Minting the JWT — PHP

With firebase/php-jwt (composer require firebase/php-jwt):

Without an external library (PHP built-ins only):

Minting the JWT — Node.js

With jsonwebtoken (npm install jsonwebtoken):

Without an external library (Node.js built-in crypto):

Once you have the signed token, POST it to QL. You can either call the endpoint directly:

…or, if auth.js is loaded, use the QLAuth.thirdPartySignin() helper, which wraps the same request and stores the returned token for you:

QL verifies the signature, then finds or creates a shadow user identified by provider_id + provider_sub. Email and name are kept in sync on every login. The response contains a standard session_token for all subsequent requests.

Note: ql_try_auth() allows unauthenticated access for public datasets; ql_verify_auth() requires a valid token and is used by all write and analysis endpoints.

Option C — API Token (Long-Lived / Server-to-Server)

API tokens created on the API Tokens page can be used directly as Bearer tokens — no prior call to ql_third_party_signin or any other sign-in endpoint is required. This makes them the simplest option for server-side scripts, CI/CD pipelines, and backend integrations where an interactive login flow is impractical.

To create a token, go to the API Tokens page in your account, click + Create token, give it a name and an optional expiry, and copy the value shown immediately after creation — it is only displayed once.

Once you have the token, pass it as the Authorization header on every request:

Choosing between the three options:

OptionBest forToken lifetime
A — QL Session TokenPages hosted on the same QL origin where the user is already signed in30-day session (refreshed on activity)
B — Third-party JWTCross-origin embeds where your backend needs to provision shadow users automaticallyExchanged for a 30-day session token
C — API TokenServer-side scripts, CI/CD pipelines, backend integrations — no browser involvedConfigurable: 30 days / 90 days / 1 year / never

Accessing QL Facilities

Once you can authenticate, there are two ways to reach the facilities described in Overview. Both ultimately hit the same admin-ajax.php endpoints — the JDK is a convenience wrapper, not a different transport.

Direct API / AJAX Calls

Call action endpoints directly with any HTTP client — $.ajax(), fetch(), curl, or a server-side HTTP library in any language. This is the right choice when you don’t want to load any QL JavaScript at all, e.g. server-to-server integrations, or a frontend built in a framework where you’d rather write your own thin API client than depend on jQuery-based modules.

The full list of endpoints — dataset metadata, chart data, statistical analysis, scheduled reports, organization management, utility/connection endpoints, and the QL-Agent endpoint — along with their parameters and response shapes, is documented in Embedded Analytics Developer Guide (API).

JavaScript Development Kit (JDK)

Load one or more of the files under https://quantumlayers.com/jdk and call their exposed objects (QLAuth, QLUpload, QLDashboard, QLAnalytics, QLInsights, QLAgent, etc.) directly — they handle building the request, attaching the Bearer token, and parsing the response for you. This is the right choice for a browser-based embed where you want the same UI logic QuantumLayers itself uses, without re-implementing request plumbing.

The full list of classes, their callable functions, and the CSS-class event bindings they attach to, is documented in Embedded Analytics Developer Guide (JDK).