Building an Embeddable Live Analytics Demo: From Concept to Reality

How I built a secure, embeddable live demo for my analytics platform - the challenges I faced and solutions that actually worked.

IZ
izadoesdev
Author
June 17, 2025
about 1 month ago
1 min read
Reading time
Jun 17, 2025
Last updated
Category:Product
Tags:#Product#Demo#User Experience#Security

Creating a live, interactive demo for your SaaS product sounds straightforward until you dive into the real-world complexities. When I set out to build an embeddable analytics dashboard demo for Databuddy, I discovered that showcasing your product without authentication barriers involves more technical and security considerations than I initially expected.

Here's the story of how I built my live demo system - including the challenges I faced, the solutions I implemented, and the lessons I learned about creating truly accessible product demonstrations.

The Demo Dilemma

Like many SaaS companies, I faced the classic demo challenge: how do you show off your product's capabilities without forcing potential customers through a lengthy signup process? For an analytics platform like Databuddy, this was particularly tricky because:

  • Authentication barriers: My dashboard requires user login to access website data
  • Data privacy: I couldn't expose real customer data in a public demo
  • Complex permissions: My system has detailed website ownership and access controls
  • Trust factor: People want to see the real product, not mockups

I considered the usual suspects:

  • Screenshot galleries: Static and boring
  • Video demos: Engaging but not interactive
  • Sandbox accounts: Still required signup and felt fake
  • Mock interfaces: Obviously not the real product

None of these felt right. I needed something that was genuinely interactive, showed real data, and didn't require any barriers to entry.

My Solution: The Demo Website Approach

My breakthrough was creating a special "demo website" that bypasses my normal authentication flow while using completely real data and functionality.

The Concept

I created a specific website entry in my database that serves as my public demo. This demo website:

  • Uses real analytics data from my documentation site
  • Updates in real-time as visitors interact with my docs
  • Bypasses authentication requirements for public access
  • Maintains full functionality of a regular dashboard

The key insight was that instead of creating fake demo data, I could use the analytics from my own documentation site. This gave me:

  • Authentic, constantly updating data
  • Real user behavior patterns
  • Genuine insights that demonstrate my platform's value

Why This Approach Works

  1. Authenticity: The data is completely real - it's my actual documentation analytics
  2. Always fresh: New data flows in as people visit my docs
  3. Demonstrates value: Visitors can see genuine insights, not contrived examples
  4. Zero friction: No signup, no barriers, just instant access

Authentication Challenges I Didn't Expect

What seemed like a simple "skip authentication for this one website" turned into a multi-layered challenge that taught me about the complexity of modern application security.

The Layered Authentication Problem

Modern applications don't just check authentication in one place. I discovered my system had multiple layers:

  1. API middleware that validates user sessions
  2. Permission middleware that checks website access rights
  3. Individual route handlers that verify user context
  4. Database queries that filter data by user ownership

Simply bypassing the first layer wasn't enough - I had to update each layer to handle my demo website as a special case.

The "Unauthorized" Surprise

My first implementation worked for some endpoints but failed for others with "Unauthorized" errors. The issue? Route handlers were still expecting authenticated user context that didn't exist for demo requests.

This taught me an important lesson: authentication isn't just about blocking access - it's often integral to how your application logic works. Removing it requires careful consideration of every downstream dependency.

The Solution Pattern

I developed a consistent pattern: check for the demo website ID first, then proceed with normal authentication for everything else. This approach:

  • Keeps security intact for regular users
  • Provides seamless access for demo visitors
  • Maintains all existing functionality

Security Considerations That Matter

Building an authentication bypass immediately raises security red flags. I had to carefully think through potential vulnerabilities and attack vectors.

The Big Security Questions

1. Rate Limiting My initial implementation completely bypassed rate limiting for demo requests. This could potentially allow denial-of-service attacks or resource abuse.

Solution: I implemented demo-specific rate limiting with stricter limits than normal authenticated users.

2. Data Exposure I had to ensure the demo only exposes appropriate data:

  • No personal user information
  • No sensitive business metrics
  • Only general website analytics (page views, referrers, etc.)

3. Abuse Prevention Using a hardcoded website ID could be problematic if someone could guess other website IDs or if the demo data contained sensitive information.

Solution: I use a randomly generated, unguessable ID and carefully curate what data the demo website contains.

Security Best Practices I Implemented

  • Specific ID checking: I check for the exact demo website ID, not a pattern
  • Read-only access: Demo bypass only works for viewing data, not modifying it
  • Careful data curation: Demo website data is specifically chosen to be non-sensitive
  • Monitoring: All demo access is logged for abuse detection
  • Database validation: Demo requests still validate that the website exists

The key insight: authentication bypasses require extra security attention, not less.

Making It Embeddable: The Iframe Journey

Getting my dashboard to work inside an iframe required navigating modern web security policies - something that's trickier than it used to be.

The Content Security Policy Challenge

Modern web applications use strict Content Security Policy (CSP) headers to prevent security attacks. My initial configuration blocked iframe embedding entirely:

frame-ancestors 'none'  // This blocks ALL iframe embedding

This meant my dashboard couldn't be embedded anywhere, defeating the purpose of my demo.

The Solution

I updated my CSP to allow iframe embedding while maintaining security:

frame-src 'self' https:     // Allow loading frames from HTTPS sources  
frame-ancestors *           // Allow embedding on any site

The frame-ancestors * directive was crucial - it allows any website to embed my dashboard in an iframe.

Security Trade-offs

Allowing universal iframe embedding does create some risks:

  • Potential clickjacking attacks
  • Context confusion for users

However, for a demo-only interface with no sensitive actions, this trade-off was acceptable. For production dashboards with user accounts, you'd want to be more restrictive.

User Experience: From Tiny to Fullscreen

Technical functionality is only half the battle - the demo also needed to provide an excellent user experience.

The Size Problem

My first iframe implementation was way too small to showcase the dashboard effectively. I was constraining it to a 16:9 video aspect ratio, which made charts and data tables nearly unreadable.

The progression:

  1. Started with standard video proportions (too small)
  2. Increased to 70% of viewport height (better but still cramped)
  3. Added fullscreen functionality (game changer)

Fullscreen Implementation

The fullscreen feature was crucial for user experience. People want to explore a dashboard properly, not squint at a tiny embedded version.

I implemented:

  • Toggle button in the demo header
  • Smooth transitions between normal and fullscreen modes
  • Responsive sizing that works on all devices
  • Professional styling that maintains the "browser" aesthetic

Visual Polish That Matters

Small details made a big difference:

  • Browser-like interface with traffic light buttons
  • "Live Demo" indicator with animated status dot
  • Smooth animations for state changes
  • Professional loading states

These touches help the demo feel polished and trustworthy rather than like a quick hack.

The Frontend Challenge: The Hacky (But Brilliant) Solution

Once I had the backend authentication bypass working, I faced another challenge: how do I create the demo frontend without duplicating my entire dashboard codebase?

The Problem

My main dashboard is a complex Next.js application with:

  • Multiple route handlers and components
  • State management with Jotai
  • Custom hooks for data fetching
  • Sophisticated layouts and navigation
  • Hundreds of components across different tabs

Creating a separate demo version would mean either:

  1. Duplicating everything - maintaining two codebases (nightmare)
  2. Extracting shared components - massive refactoring project
  3. Building a simplified version - wouldn't show the real product

None of these options felt right. I needed something cleverer.

The Ridiculously Simple Solution

My breakthrough was realizing I didn't need to rewrite anything. I could just create new routes that literally re-export the existing dashboard pages. Here's the entire implementation:

Demo Overview Page (/demo/[id]/page.tsx):

"use client";

export { default } from '../../../(main)/websites/[id]/page'

Demo Sessions Page (/demo/[id]/sessions/page.tsx):

export { default } from '../../../(main)/websites/[id]/sessions/page'

Demo Profiles Page (/demo/[id]/profiles/page.tsx):

export { default } from '../../../(main)/websites/[id]/profiles/page'

That's it. One line per page. The magic happens in the layout.

The Layout Wrapper

The demo-specific experience comes from a custom layout that wraps all demo pages:

// /demo/layout.tsx
export default function DemoLayout({ children }: { children: React.ReactNode }) {
  return (
    <div className="h-screen bg-gradient-to-br from-background to-muted/20">
      <DemoSidebar />  {/* Custom demo navigation */}
      <div className="md:pl-72 pt-16 h-screen relative">
        <div className="h-[calc(100vh-4rem)] overflow-y-scroll">
          {children}  {/* This is literally the main dashboard page */}
        </div>
      </div>
    </div>
  );
}

The DemoSidebar component provides demo-specific navigation:

const demoNavigation = [
  {
    title: "Analytics",
    items: [
      { name: "Overview", href: "/demo/OXmNQsViBT-FOS_wZCTHc" },
      { name: "Sessions", href: "/demo/OXmNQsViBT-FOS_wZCTHc/sessions" },
      { name: "Funnels", href: "/demo/OXmNQsViBT-FOS_wZCTHc/funnels" },
      // ... all demo routes
    ],
  }
];

Why This "Hack" Is Actually Genius

1. Absolute Zero Code Duplication I reuse 100% of my dashboard pages, components, logic, and styling. The demo pages are literally the same code that paying customers use.

2. Always Up-to-Date When I add new features, fix bugs, or update the UI in the main dashboard, the demo gets those changes instantly. There's no separate demo codebase to maintain.

3. Authentic Experience The demo isn't a simplified version or a mockup - it's the exact same application with the exact same functionality. When someone explores the demo and then signs up, there are zero surprises.

4. Minimal Maintenance I maintain one layout file and one sidebar component. Everything else - all the complex analytics logic, charts, data tables, state management - is shared.

5. Easy to Extend Adding a new page to the demo? One line of code: export { default } from '../../../(main)/websites/[id]/new-page/page'

The Reality Check

Look, this approach isn't "clean architecture" by textbook standards. It creates coupling between my demo and main app routes. But you know what? It works incredibly well.

Sometimes the "hacky" solution is actually the most pragmatic. Instead of spending weeks building a sophisticated shared component system, I found a way to reuse everything with literally one line of code per page.

This approach has saved me countless hours of maintenance and ensures my demo always represents the real product accurately. The demo isn't a separate application - it's just the main application with a different layout and hardcoded website ID.

Key Lessons Learned

Building this demo system taught me valuable lessons about product demos, authentication, and user experience.

1. Authentication Is More Complex Than It Appears

Don't assume bypassing authentication is a simple middleware change. In modern applications, authentication often touches:

  • Multiple middleware layers
  • Route handler logic
  • Database access patterns
  • Frontend state management

Takeaway: Audit all authentication touchpoints before implementing bypasses.

2. Security Requires Ongoing Attention

Authentication bypasses are inherently risky and need continuous monitoring. I learned to:

  • Document all security trade-offs
  • Implement specific monitoring for demo access
  • Plan for abuse prevention from day one
  • Regularly review demo access patterns

Takeaway: Treat demo authentication bypasses as security-critical features that need ongoing attention.

3. User Experience Trumps Technical Perfection

My initial iframe was technically functional but provided a poor user experience. The fullscreen functionality and proper sizing made the difference between a demo people ignored and one they actually explored.

Takeaway: Test your demo with real users and prioritize usability over technical elegance.

4. Real Data Beats Perfect Mockups

Using my actual documentation analytics instead of crafted demo data was a game-changer. Real data:

  • Shows authentic usage patterns
  • Demonstrates genuine product value
  • Updates automatically with fresh insights
  • Feels trustworthy to potential customers

Takeaway: Find ways to use real, non-sensitive data in your demos whenever possible.

5. Progressive Enhancement Works

I didn't build the perfect demo on the first try. Instead, I:

  • Started with basic functionality
  • Identified pain points through testing
  • Iteratively improved based on feedback
  • Added advanced features like fullscreen mode

Takeaway: Ship a working demo quickly, then enhance based on actual usage.

6. Component Architecture Matters

The wrapper pattern I used for demo components proved incredibly valuable. It allowed me to:

  • Reuse complex dashboard logic without duplication
  • Customize the demo experience without touching core code
  • Maintain a single source of truth for analytics functionality
  • Scale to new demo features easily

Takeaway: Design your component architecture to support multiple presentation contexts from the start.

What I'd Do Differently

Looking back, here's what I'd approach differently:

Plan Authentication Architecture Upfront

I treated the authentication bypass as an afterthought, which led to multiple rounds of fixes across different system layers. Next time: I'd design the authentication system with demo access as a first-class use case.

Implement Rate Limiting from Day One

I initially shipped without demo-specific rate limiting, creating a potential security risk. Next time: I'd implement abuse prevention before launching the demo publicly.

Test Embedding Early

I discovered iframe and CSP issues late in the process. Next time: I'd test embedding functionality across different browsers and security configurations from the beginning.

Gather User Feedback Sooner

I spent time optimizing technical aspects that users didn't care about while missing UX issues that actually mattered. Next time: I'd get the demo in front of real users much earlier in the development process.

Design Component Architecture for Reuse

While my wrapper pattern worked well, I could have designed my original dashboard components with better separation of concerns to make demo integration even cleaner. Next time: I'd consider multiple presentation contexts when designing component interfaces.

The Result

Today, my live demo provides an authentic, interactive experience that showcases Databuddy's capabilities without any barriers. Visitors can:

  • Explore real analytics data in real-time
  • Experience the full dashboard functionality
  • View the demo in fullscreen for detailed exploration
  • Embed the demo on their own sites if needed

Most importantly, it converts. People who interact with my live demo are significantly more likely to sign up because they've already experienced the value of my platform firsthand.

Want to see it in action? Check out my live analytics demo and experience the full Databuddy dashboard without signing up.

Building a great product demo is about more than just removing authentication - it's about creating an experience that effectively communicates your product's value while maintaining security and trust. If you're working on a similar challenge, I'd love to hear about your approach and share more details about my implementation.

Found this helpful?

Share this article with others who might benefit from privacy-first analytics insights.

Share on TwitterShare on LinkedIn

Ready to try privacy-first analytics?

Get started with Databuddy today. No consent banners, no cookies, just powerful insights that respect your users' privacy.

🚀 Start Free Trial

How we ensure full GDPR compliance

Learn how Databuddy ensures full GDPR compliance while providing powerful analytics insights. No cookies, full data ownership, and complete privacy protection.