Skillmine Auth - Documentation
  • Introduction
  • Get started
    • Create and integrate the first application
    • Customize sign-in experience
    • Enable social sign-in
    • Configuring the SSO (Single Sign On):
  • Protect your API
    • Protect your API on Node(Express)
    • Protect your API on Python
    • Protect your API on Spring Boot
  • Manage users
    • Manage users using Admin Console
    • Manage users using Management API
  • Auth Architecture
  • SSO Dashboard
  • SSO Application
  • Blueprints
  • Groups & Permissions
    • User Roles
    • Permissions
    • Group Category
    • Group
  • Workflow
    • Workflow
    • Manage Request
  • Settings
    • Authentication Methods
    • Schemas
    • Consent Management
    • Password Policy
    • CAPTCHA's
    • Site Group
    • Messaging Template
      • Built-In Template
      • Custom Template
    • Webhook Settings
    • Connectors
    • Device Restriction
    • MFA
      • End User Configuration Guide
      • End User Usage
    • MFA Settings
    • Payment Gateway
      • Providers
      • Payment Flows
      • Payment History
    • Open Id Connect Setttings
      • Client Settings
      • Scopes
    • SCIM
  • You don't need a user table
  • Localization
  • API Resource
  • Users
    • Search Users
    • Invite User
    • Create User
    • Bulk User Operations
      • Creation
      • Updation
      • Deletion
      • Reset Password
  • Report
    • User Report
    • Captcha Failure Report
    • Inactive users report
    • Provider wise Report
    • Webhook Report
    • Notification Report
    • Audit Trail Report
    • Mac Restriction Report
    • RADIUS Audit Trail Report
  • Social identities
  • References
    • OpenID Connect
  • Usecases
    • ECommerce Site Integration
    • Groups & Roles Integration
    • Custom Provider Integration
    • Salesforce Integration
  • Connectors
    • Office365
Powered by GitBook
On this page

Protect your API

PreviousConfiguring the SSO (Single Sign On):NextProtect your API on Node(Express)

Last updated 12 months ago

Validate the API request's authorization token

Auth issues a standard format authorization token for each authorized API request. The token is encrypted and signed as a token.

Understanding JWS token

An encoded token is constructed with three parts:

  • JOSE Header: Declares the code type and encoding algorithm

  • JWS Payload: Includes all the token's claims

  • JWS Signature: Signature signed with

A standard schema of auth issued JWS Payload: (claims may vary, based on your custom OIDC config)

Key

Description

jti

unique JWT ID

sub

subject, usually user-id

iat

timestamp token issues at

exp

timestamp token expires at

client_id

client id

iss

token issuer identity

aud

audience of the token

INFO

For development, to visually inspect a JWT token, you could visit to decode and check the tokens you received. Be careful with or never use the tokens from a production environment. As this is a third party provided public online service, your token may be exposed.

  3. The token's issuer is https://<your-auth-domain> (issued by your Auth server).

  4. The token is within its expiration time.

There are various open-source libraries and packages that can help you to validate and decode a JWT token easily. You may pick one and integrate with your backend application based on the language and framework you are using. Please check some of the examples we have:

Reference

Validate the authorization token

Auth uses the code-based OAuth 2.0 Authorization Protocol to make your API request safer. If you are interested in the strategy behind it, refer to OAuth 2.0's for more details.

​
JWT
JWS
​
JWS
JWK
jwt.io
​
Validating a JWT.
Validating the JWS signature.
Node(Express)
Spring Boot
Python
official document