Cabrechart turns your Salesforce data into drag-and-drop dashboards, AI-powered analysis, and branded PDF or PowerPoint exports — live in 60 seconds, no code required.
Get a live Salesforce dashboard running in under 60 seconds.
Connect your Salesforce org
Create a dashboard
Add a widget
Resize & arrange
Export or share
Sandbox testing
| Requirement | Details |
|---|---|
| Salesforce edition | Enterprise, Unlimited, Performance, or Developer. Must support Connected Apps and the Analytics REST API. |
| Cabrechart package | Install Cabrechart from the Salesforce AppExchange. The managed package pre-configures all OAuth settings automatically — no manual Connected App setup required. |
| User permissions | API Enabled + View Reports in Public Folders + View Dashboards in Public Folders. |
| Browser | Any modern browser (Chrome, Firefox, Safari, Edge). No plugins or extensions required. |
| MFA | Salesforce MFA is fully supported and recommended. Cabrechart does not bypass it. |
Cabrechart uses OAuth 2.0 Authorization Code flow with PKCE (Proof Key for Code Exchange) — the industry standard for secure browser-based app integrations with Salesforce.
1. Browser → GET /api/auth/login — generates PKCE code_verifier + state, stores challenge in DB
2. Redirect → Salesforce authorization page (user authenticates on SF directly)
3. Salesforce → GET /api/auth/callback?code=&state=
4. Server exchanges code + verifier for access + refresh tokens
5. Tokens encrypted with AES-256-GCM → stored in DB
6. Session JWT set as HttpOnly; Secure; SameSite=Lax cookie
Every subsequent request includes the session cookie. Middleware validates the session and injects the user ID as a request header before API routes run. All Salesforce calls use the user's own token — never a shared admin token.
Coming to the Salesforce AppExchange
Cabrechart is being published as a managed package on the Salesforce AppExchange. Once available, admins install it directly from the marketplace in minutes — no manual Connected App configuration, no credential copying, no .env files to manage.
With the managed package, Cabrechart handles all OAuth infrastructure automatically. The Connected App, OAuth scopes, callback URLs, and PKCE configuration are bundled inside the package and deployed to your org at install time.
Find Cabrechart on AppExchange
Choose installation scope
Assign the permission set
Cabrechart Analytics Access permission set. Assign it to any users who should be able to log in. It grants the minimum required access: API Enabled · View Reports in Public Folders · View Dashboards in Public Folders.Authorize in Cabrechart
Sandbox testing
| Setting | Value |
|---|---|
| Connected App name | Cabrechart Analytics |
| OAuth flow | Authorization Code + PKCE |
| OAuth scopes | api · refresh_token · offline_access |
| Callback URLs | Managed by Cabrechart — pre-configured for all environments |
| Refresh token policy | Expire after 90 days of inactivity |
| Token revocation | Enabled |
| Permission set | Cabrechart Analytics Access (included in package) |
Least privilege
Cabrechart is a fully managed SaaS platform — there are no environment variables for customers to configure. All Salesforce OAuth credentials, encryption keys, and infrastructure secrets are managed by Cabrechart on your behalf.
The table below is provided for reference only, relevant to Cabrechart's own infrastructure team:
| Variable | Purpose | Managed by |
|---|---|---|
| SALESFORCE_CLIENT_ID | OAuth Consumer Key from the managed package Connected App | Cabrechart |
| SALESFORCE_CLIENT_SECRET | OAuth Consumer Secret | Cabrechart |
| SALESFORCE_REDIRECT_URI | OAuth callback URL registered in the Connected App | Cabrechart |
| TOKEN_ENCRYPTION_KEY | AES-256-GCM key for encrypting stored access tokens | Cabrechart |
| SESSION_SECRET | HMAC key for signing session JWTs | Cabrechart |
| DATABASE_URL | PostgreSQL connection string | Cabrechart |
| ANTHROPIC_API_KEY | Powers the AI Analyst feature | Cabrechart |
Nothing to configure
| Property | Value |
|---|---|
| Session type | JWT stored in HttpOnly cookie |
| Cookie flags | HttpOnly · Secure · SameSite=Lax |
| Session TTL | 8 hours — then user must re-authenticate |
| Token encryption | AES-256-GCM · unique IV + salt per record |
| Token refresh | Automatic on access token expiry using stored refresh token |
| PKCE challenge TTL | 10 minutes · deleted from DB on consumption |
| Logout | DELETE /api/auth/logout — clears cookie + deletes session record |
Dashboards are the top-level container for your visualizations. Each dashboard has a name, optional description, and a set of widgets arranged on a 12-column grid.
| Action | How |
|---|---|
| Create | Dashboards page → New Dashboard button. Enter name + optional description. |
| Open | Click any dashboard card. Opens the view mode with live data. |
| Edit | In view mode, click Edit (pencil icon) in the toolbar. Opens the builder canvas. |
| Delete | Hover a dashboard card → trash icon. Requires confirmation. Permanent. |
| Share | Open dashboard → Share button → Generate link. |
| Export | Open dashboard → Export button → opens Export Studio. |
In dashboard edit mode, click Add Widget. The configuration panel opens on the right side of the screen.
| Field | Required | Description |
|---|---|---|
| Title | Required | Display label shown in the widget header and exported documents. |
| Subtitle | Optional | Secondary label for context (e.g., "Last 30 days"). |
| Type | Required | Visualization type — see Widget Reference below. |
| Data source | Required | Report ID (searched by name) or a raw SOQL query string. |
| Value column | Conditional | Which numeric column to use for the Y-axis / metric value. |
| Label column | Conditional | Which text column to use for X-axis labels or pie slices. |
| Filters | Optional | Pre-baked filter conditions applied to the data source at query time. |
Cabrechart supports 11 widget types across three categories.
| Type | Best for | Key config |
|---|---|---|
bar | Category comparisons, ranked lists | orientation (h/v), stacked, grouped, colorBy |
line | Time-series trends, multi-series | smooth curves, area fill, multiple series |
area | Cumulative trends with fill | stackedArea, gradient fill |
pie | Part-to-whole proportions | maxSlices, showLabels, showLegend |
donut | Proportions with center KPI | Same as pie + centerValue, centerLabel |
scatter | Correlation between two metrics | xColumn, yColumn, sizeColumn (optional) |
funnel | Pipeline conversion stages | showConversionRate, orientation |
| Type | Best for | Key config |
|---|---|---|
metric | Single big number, KPI card | prefix ($), suffix (%), comparison period, delta color |
gauge | Quota attainment, target tracking | min, max, thresholds (green/amber/red zones), target line |
| Type | Best for | Key config |
|---|---|---|
table | Row-level data display | pageSize, sortBy, sortDir, columnFormats, highlight rules |
grouped-table | Multi-dimension grouped data | groupBy column, aggregation (sum/avg/count), expandable |
rich-text | Headers, notes, instructions | HTML content, no data source needed |
section-header | Visual section divider | title, optional subtitle, no data source needed |
The dashboard canvas is a 12-column responsive grid powered by react-grid-layout. Each widget occupies a rectangular slot defined by { x, y, w, h } where x/w are column units and y/h are row units (1 row ≈ 60px).
Cabrechart supports two levels of filtering:
Applied to a single widget's data source. Configured in the widget editor. Override the report's built-in date range for that widget only.
Configured in the dashboard header bar. Applied to all compatible widgets simultaneously. Viewers can change the dashboard filter without editing the dashboard.
Fiscal quarters
The Reports browser (sidebar → Reports) shows all Salesforce reports accessible to the current user. Reports are fetched live from the Analytics REST API.
Click Run to execute a report. Results appear inline below the report row in a sortable, searchable, paginated table (100 rows/page). Click CSV to download the full result set.
Click Filter to open the filter panel before running. Filter parameters are sent to the Salesforce Reports API at query time and do not modify the underlying report definition.
| Operator | Applies to |
|---|---|
| equals / notEqual | Text, number, date, boolean |
| lessThan / greaterThan | Number, date |
| lessOrEqual / greaterOrEqual | Number, date |
| contains / notContain | Text |
| startsWith | Text |
Click the + icon on any report row, choose a widget type and target dashboard. The widget is created with the report as its data source, pre-baked filters included.
Instead of a Salesforce report, widgets can use a raw SOQL query as their data source. This gives you full control over which fields, objects, and aggregations are returned.
SELECT only
SELECT statements are permitted. DML keywords (INSERT, UPDATE, DELETE, UPSERT) and DDL are blocked at the API layer.-- Pipeline by stage SELECT StageName, COUNT(Id) Deals, SUM(Amount) TotalValue FROM Opportunity WHERE IsClosed = false AND CloseDate = THIS_QUARTER GROUP BY StageName ORDER BY TotalValue DESC
-- Top 10 accounts by ARR SELECT Account.Name, SUM(Amount) ARR FROM Opportunity WHERE IsWon = true AND CloseDate = THIS_FISCAL_YEAR GROUP BY Account.Name ORDER BY ARR DESC LIMIT 10
-- Rep activity last 7 days SELECT Owner.Name, COUNT(Id) Activities, ActivityDate FROM Task WHERE ActivityDate = LAST_N_DAYS:7 GROUP BY Owner.Name, ActivityDate ORDER BY ActivityDate DESC
The query is executed using the jsforce client with the user's own OAuth token. Row-level security and field-level security are enforced by Salesforce before results are returned.
Sidebar → SF Dashboards lists all native Salesforce dashboards accessible to the current user. Each shows the dashboard name, description, folder path, and component count.
The AI Analyst is a conversational interface that gives you natural-language access to your Salesforce data. It uses a Salesforce-aware AI model with structured tool use — instead of generating hallucinated answers, it runs real queries and reasons over real data before responding.
Access it two ways:
Pro & Team plans
The model has access to these read-only Salesforce tools. Tool activations are shown as animated pills in the chat UI while the model is working.
| Tool | What it does |
|---|---|
list_salesforce_reports | Browse the org's report library to find the most relevant report for a question. |
describe_salesforce_report | Inspect a report's metadata — columns, filters, groupings — before running it. |
run_salesforce_report | Execute a report and retrieve results (up to 50 rows sent to the model). |
run_soql_query | Run a SELECT SOQL query against any accessible object. |
describe_salesforce_object | Read the field definitions and relationships for a Salesforce object to avoid hallucinated field names. |
list_salesforce_objects | Enumerate available objects to find the right source for a question. |
get_widget_data | Fetch the current data from a specific dashboard widget (dashboard-context mode only). |
suggest_visualization | Recommend a chart type and configuration for the data shape in the response. |
| Plan | Monthly AI credits | Top-up available |
|---|---|---|
| Starter | — | — |
| Pro | Included allocation | Yes — $5 top-up from chat interface |
| Team | Higher allocation | Yes — $5 top-up from chat interface |
When credits are exhausted, the chat interface shows a Top up $5 now button that redirects to a Stripe checkout. Credits reset at the start of each billing month.
The model receives a maximum of 50 rows per tool call result. PII beyond what is strictly necessary for the analysis is stripped before data leaves the server.
Open Export Studio from any dashboard via the Export toolbar button. The Studio is a full-page interface with a configuration panel on the left and a live cover-page preview on the right.
Choose export type
Set metadata
Choose a template
Exclude widgets (optional)
Configure page options
Download
| Option | Values | Default |
|---|---|---|
| Template | corporate · modern · minimal · executive · data-dense | corporate (overridden by Settings default) |
| Page size | LETTER · A4 · LEGAL | LETTER |
| Orientation | portrait · landscape | portrait |
| Cover page | Always included with title, subtitle, logo, date, prepared-by label | — |
| Table of contents | Auto-generated from widget titles | Included |
| Widget layout | Full-page (1 per page) or 2-up (2 per page) | Full-page |
| Intro notes | Optional free-text section after cover | Empty |
| Widget exclusions | Per-widget toggle in Studio | All included |
| Footer text | From branding settings or overridable per-export | From Settings |
| Template | Style |
|---|---|
| Corporate | Structured header, blue KPI cards, colored table headers, accent stripe |
| Modern | Clean white, bold typography, left accent sidebar on KPI cards |
| Minimal | Sparse layout, thin borders, light color palette — ideal for data-dense exports |
| Executive | Dark background, gold accents, premium feel — best for board packs |
| Data Dense | Compact spacing, maximizes information per page, smaller font |
PPTX exports place each widget on its own slide. The first slide is always a branded title slide.
| Option | Values | Default |
|---|---|---|
| Template | corporate · modern · dark · pitch · operational | corporate (overridden by Settings default) |
| Slide size | widescreen (16:9) · standard (4:3) | widescreen |
| Custom template | Upload a .pptx in Settings → PPTX Library to extract brand theme | — |
| Slide titles | Widget title. Editable per-slide in Studio. | Widget title |
| Widget exclusions | Per-widget toggle in Studio | All included |
| Template | Style |
|---|---|
| Corporate | Dark navy title slide, branded footer bar on each slide |
| Modern | Color band title slide, white content slides, top accent stripe |
| Dark | Full dark theme throughout — optimized for projector / screen presentations |
| Pitch | Bold, high-contrast, blue gradient — investor / startup decks |
| Operational | Compact, data-rich, light background — daily ops & field reports |
Set company identity once in Settings. It is automatically applied to every PDF, PPTX, and share-link dashboard.
| Field | Used in |
|---|---|
| Company Name | PDF cover page, PPTX title slide, share link header |
| Tagline | PDF cover page sub-line, PPTX title slide |
| Logo URL | PDF header (every page), PPTX slides, share link header |
| Primary Color | PDF headers, KPI card accents, table column headers |
| Secondary Color | Sub-headers, contrast elements |
| Accent Color | Trend delta badges, highlight elements |
| Footer Text | PDF page footer (every page) |
| "Prepared by" Label | PDF cover attribution line |
| Default PDF Template | Pre-selected in Export Studio (overridable per export) |
| Default PPTX Template | Pre-selected in Export Studio (overridable per export) |
Upload up to 10 logos (PNG · JPG · SVG · max 300 KB each). When exporting, choose which logo to use from a dropdown. Logos are stored securely and referenced by ID in export requests.
Upload up to 5 branded .pptx files (max 10 MB). Cabrechart extracts theme colors and fonts via the Office Open XML spec. The original file is discarded; only color/font metadata is stored. Mark a template as Active to apply it automatically to all PPTX exports. When a custom template is active, its colors and fonts override the built-in template palette.
Scheduled reports automatically generate a branded PDF and email it to any list of recipients on a recurring schedule. Recipients do not need a Cabrechart account.
| Field | Required | Description |
|---|---|---|
| Name | Required | Internal name for the schedule (e.g., "Weekly Sales Summary"). |
| Dashboard | Required | Which dashboard's live data to export. |
| Frequency | Required | daily · weekly · monthly. Use a preset or configure custom. |
| Hour / Minute | Required | Time of day to run. Minute options: :00 or :30. |
| Timezone | Required | Any IANA timezone (e.g., America/New_York). Defaults to ET. |
| Recipients | Required | Comma or newline-separated list of email addresses. |
| Subject | Optional | Email subject line. Defaults to "[Dashboard name] — [date]". |
| Message | Optional | Personal note included in the email body above the PDF attachment. |
| Plan | Max active schedules |
|---|---|
| Starter | 1 |
| Pro | 5 |
| Team | 20 |
Share links generate a public, read-only URL for a dashboard. Recipients see live Salesforce data with no login required.
Treat share links like sensitive documents
| Feature | Starter — $20/mo | Pro — $50/mo | Team — $200/mo |
|---|---|---|---|
| Dashboards | 3 | Unlimited | Unlimited |
| Widgets per dashboard | Unlimited | Unlimited | Unlimited |
| PDF export | ✓ | ✓ | ✓ |
| PowerPoint export | — | ✓ | ✓ |
| AI Analyst | — | ✓ | ✓ |
| Custom branding | — | ✓ | ✓ |
| Scheduled reports | 1 | Up to 5 | Up to 20 |
| Share links | Limited | Included | Unlimited |
| Data refresh interval | 30 min | 5 min | 1 min |
| Salesforce report browser | ✓ | ✓ | ✓ |
| SF dashboard import | ✓ | ✓ | ✓ |
| Support | Standard | Priority | Dedicated |
All plans include the 24-hour free trial. Billed monthly. Cancel anytime — access continues through the end of the billing period. Payments processed by Stripe (PCI-compliant).
| Limit | Value | Notes |
|---|---|---|
| API requests (data endpoints) | 100 req/min per user | Enforced via Redis token bucket |
| Auth endpoints | 10 req/min per user | Login, callback, logout |
| Salesforce API rows per widget | 2,000 rows | Salesforce org API governor limits also apply |
| AI query rows sent to model | 50 rows per tool call | Data minimization policy |
| SOQL query timeout | 30 seconds | Returns timeout error; retry with more specific query |
| Report async timeout | 30 seconds client / 20 min SF | Large reports use SF async polling |
| PDF export size | No hard limit | Large dashboards may take 10–30s to generate |
| Logo upload size | 300 KB per image | PNG · JPG · SVG |
| PPTX template upload | 10 MB | .pptx files only |
| Share links per dashboard | Unlimited (Team) · Limited (Starter/Pro) | |
| PKCE challenge TTL | 10 minutes | Automatically cleaned up |
Salesforce governor limits
| Control | Implementation |
|---|---|
| OAuth flow | Authorization Code + PKCE (S256). No implicit flow. |
| Session | JWT in HttpOnly + Secure + SameSite=Lax cookie. 8h TTL. |
| Token storage | AES-256-GCM encrypted with unique IV + salt per record. |
| Token rotation | Access token auto-refreshed on expiry using stored refresh token. |
| PKCE challenges | Stored server-side, one-time use, 10-min TTL, deleted on consumption. |
| Middleware | Every request validated in edge middleware before reaching API routes. |
| SF permissions | User's own OAuth token used for all Salesforce calls — sharing rules enforced by SF. |
| Admin permissions | Separate admin middleware. Admin flag stored on user record. |
| Control | Implementation |
|---|---|
| Transport | HTTPS enforced everywhere. HSTS with preload. |
| Security headers | CSP, X-Frame-Options: DENY, X-Content-Type-Options: nosniff |
| Database | SSL required connection. Private network. No public endpoint. |
| Secrets | Environment variables / secret manager. Never in source code. |
| Dependency scanning | npm audit in CI. Dependabot / Snyk recommended. |
| Audit logging | Every data access, export, AI query, login, and logout logged with IP, user agent, user ID, resource, and timestamp. |
| Audit retention | Minimum 1 year. |
The SOQL execution layer enforces an allowlist at the API layer before sending any query to Salesforce:
// Blocked at /api/salesforce/query
const FORBIDDEN = /\b(INSERT|UPDATE|DELETE|UPSERT|MERGE|CREATE|ALTER|DROP|EXEC|EXECUTE)\b/i
if (FORBIDDEN.test(query)) {
return 400 // Bad Request
}
if (!query.trim().toUpperCase().startsWith('SELECT')) {
return 400
}| Data | Stored? | Notes |
|---|---|---|
| Salesforce CRM data | Never | Fetched live on demand, never written to Cabrechart DB. |
| Dashboard configuration | Yes | Widget types, titles, layout, data source references (report IDs / SOQL strings). |
| User account record | Yes | Salesforce user ID, display name, email (from Salesforce identity endpoint). |
| OAuth tokens | Yes (encrypted) | AES-256-GCM encrypted at rest. Never logged or exposed via API. |
| Branding / logos | Yes | Company name, colors, uploaded logo images. |
| Audit logs | Yes | IP, user agent, user ID, resource, action, timestamp. Retained 1 year minimum. |
| Schedule configuration | Yes | Schedule metadata, recipient email addresses. |
| PKCE challenges | Ephemeral | Deleted on use or after 10 min expiry. |
Questions or security issues?