If your app has a Manage URL or if your element uses external settings, then we authenticate the user using JSON Web Tokens (JWT). Parameters that identify the user, as well as an iat (Issued At timestamp - i.e. the time the token was generated), the user’s language, and the jti (a unique JWT token ID to prevent replay attacks), are injected as a token into the URL.

JWT tokens are encoded using the HS256 algorithm. Our implementation follows the standard as specified in the JSON Web Token spec.

You decode the token by including a JWT library and using your app’s secret (found on your app’s admin page in the Developer Admin portal). For example, if you’ve included the Firebase PHP JWT library you decode the token with the following PHP code:

$decoded = JWT::decode($_GET['jwt'], $client_secret, array('HS256'));

 These are the fields that the token contains:

  • user_id
  • site_id
  • callback_url
  • iat (the timestamp)
  • jti (the token ID)

There are many client libraries for JWT, you can find them at http://jwt.io/. That site also includes a fiddle, where you can test your decoding.


Help make these docs better!