When working with your custom APIs it can be necessary to validate that request is done by the authenticated user and that the user is authorized to perform such requests.
You can send current user JWT token to your API to validate user and check permissions. Usually it is done with Authorization header, but you are free to use any implementation.
There are two types of user tokens:
- token - generated per User, contains user ID in payload
- project token - generated per App (and environment), contains user ID, project ID, environment ID, permissions, user properties, team properties
Use "token" or "project token" for HTTP requests
JSON Web Tokens are an open, industry standard RFC 7519 method for representing claims securely between two parties. There a lot of libraries across different languages and tech stacks which allow you to validate JWT token. JWT token also contains payload where you can find user info and permission details.
Here is the public key which you should use to validate that received token is correct token generated by Jet Admin side.
{% code title="jet_admin_key.pub" %}
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAyfJablscZmsh7eHisWHi
/x2gJUjc9juL4VLkEpp6PH9Ah+wBtGmPF9nfoVlQsgH9hra63POiaLUzIwW/ewOl
jyPF0FJngsxreCxNs8lmd/WNXrcnazknFItkFFeXJuMTfoBPQGiZOmVYb14jmvkc
9vMmeXYjrbT+95SVayN3E6DzLoHDhny4Mka1OsxvIP5s77s0dOo68TzoEfBVeuto
I/dopG86DVu4wYVtYPITzJ4z47OFVPKCyYVyy5aR3+DUnmdK7xTRVr+iWmHpcr7e
hoeVcL4CqAILZ0gd54kQmnHbg7Bu6x8JtQkiLU5TQvWzjiN00io4eydvIAkQTAaR
mdd32O1vJbSHmLyCR2tEW/uV7P25naPUlkApxuLzh5C21S0XJxNJ/P07KSMymt5U
1lWqt4CInpjAwMI8qs9MkEwJev5+yumxqIrDKcQLMR3TBLJZIb+rL1teCLOW28qB
L6VSKhfKRIaXUdLpRwAcSuXraTzwa9oCCZa19tw3uizMeMFrCrv43YbyOsS9h7JQ
8ixj/a1R/ud0fCrhXWUl7nKlz0b15koILLG1Ts+MUTmIaEnHTVEY74CfJVq7waw9
x2kyzSzbsmMXvFkrVzTmyImTN631+gatU+npJ3vtcD9SooEZLOCLa4pb+DIsv9P1
EeIEAh1VZC7s2qsQZsiYTG0CAwEAAQ==
-----END PUBLIC KEY-----
{% endcode %}
If you want to give access to your API based on Jet Admin user permission you can parse JWT payload to get user permissions and check them. In this case you should use project token.
You can parse project token payload using https://jwt.io/
Example of project token payload with Full Access permissions:
{
"token_type": "access",
"exp": 1668998967,
"jti": "102778f3241d49a6b442dc8b205ec821",
"user": "1025c221-948a-4b7c-a58b-fa7cf816a72c",
"project": "jet_bridge_gql",
"environment": "prod",
"projects": {
"jet_bridge_gql": {
"super_group": true
},
"demo_resources": {
"read_only": true
}
},
"user_properties": {},
"group_properties": {}
}
Example of project token payload with granular permissions:
{
"token_type": "access",
"exp": 1675744090,
"jti": "6f20ac1c51094e18971499816c79be66",
"user": "d6a4c751-55c5-44e4-99fc-049c287ce71e",
"project": "jet_bridge_gql",
"environment": "prod",
"projects": {
"jet_bridge_gql": {
"super_group": false,
"read_only": false,
"permissions": "H4sIAC7S4WMC/52PPUvEQBRF/0qYelky3y92YiWriKyCIBLeZN6YuNkkzIwGlf3vJp1YbGF1L5xb3PP8zSaKxy6lbhzq/DkRuyjYcfTUs03xm43ujZq80tBFcpio/pCD2eKM0ac/Y2zyEmldx9mvMFIa32NDdR4PNNQtpnalTSVRWArcVt4EFGjF0oArlNwaRRx0CSWGpnHgXcmlkLQ0ERDJO7DstCn+oYBdzOh6qg3vvrY4Tbv54ebx+vLwmk3c3dfZ9bdPIuzbfdRX9s4MZ/zO2IEBI5XhUC6PFztHiBC0MUZzIq68BNRCQaW1h4oHTmADKYE8uMXYsdPLD+tKZ+ShAQAA"
},
"demo_resources": {
"read_only": true
}
},
"user_properties": {
"na37j0tc": "bar2",
"q5zdv0e3": "bar1"
},
"group_properties": {
"5vlsld0o": "test value"
}
}
permissions key is a JSON object which is compressed with Gzip and Base64 encoded string. It contains detailed information about permissions which has user's assigned team.