Skip to main content
Back to Web SDK Overview The Platform only accepts SDK clients that present valid credentials. You must register your app, obtain Client credentials, and use them to generate a signed JWT for every session.

Authentication Flow

  1. Your SDK signs a JWT with the user identity and Client credentials.
  2. The Platform verifies the signature using the registered public key or shared secret.
  3. Your SDK exchanges the JWT for a Bearer Token used in all subsequent API calls.

JWT Flow

JWT Flow

JWT Structure

A JWT has three dot-separated parts: header.payload.signature
Supported algorithms:

Payload

JWT Parameters


JTI Validations

When jti is included, the Platform enforces:
  1. Expiry ≤ 1 hour — If violated:
  2. No replay — If the same jti is reused:

Hosting the JWT Generation Service

The Client Secret or RSA Private Key must never be exposed client-side. Host JWT generation as a REST web service:
  • For the Web SDK: the service is called from the user’s browser.
  • For mobile SDKs: the service is called from the user’s device.
Keep the Client ID, Client Secret, and expiry logic server-side. Accept only the user ID from the client. Open-source JWT libraries: To register your app and get credentials, see SDK App Registration.

JSON Web Encryption (JWE)

Use JWE to send sensitive data alongside the user identity in the JWT. Include the data in secureCustomData or privateClaims — it becomes available in the dialog context at context.session.UserContext.privateClaims.<field>.

JWE Token Structure

A JWE token has five parts: Header.EncryptedKey.IV.CipherText.AuthTag

JWE Header Parameters

Sample decoded JWE header:

Generate a JWE Token

Steps:
  1. Choose a JWE library for your language (Python: PyJWT, Java: javax.crypto, Node.js: node-jose).
  2. Prepare your payload — include sensitive fields under privateClaims or secureCustomData.
  3. Choose encryption algorithms.
  4. Use the Platform’s public key for asymmetric encryption.
Python example:

Find the JWE Public Key

Enable the JWE option when creating an SDK app. The public key is displayed in JWK format. Public Key

Verify and Decrypt a JWE Token

Python example:
For the full JWE specification, see RFC 7516.