JWT provides security between SDK and Gateway communication.

JWT setup and validation

  • Allowing the user to configure secret key (Which is used to validate the JWT) while creating APP, however, it is optional.
  • SDK will provide the method to set the JWT from APP.
  • SDK should send the JWT token for each API request if JWT is enabled.
  • Gateway accepts the request and validates the JWT token against JWT secret Key. If it is valid then forward the request to process, else the request is rejected with an error code

JWT payload should contain the expiration (optional) and either 'appUserId or 'customerId.' In JWT payload client can add any other public or private claims. JWT signature should be generated using SHA256 algorithm only. Examples of Header and Payload are provided below.

Sample information to generate JWT token.

JWT Token Header:

{
  "alg": "HS256",
  "typ": "JWT"
}

JWT Payload:

{
  "exp": 1500911718,
 "appId":"NA1212012",
  "appUserId": "AppUserId",	
(or)	
  "customerId": "CustomerId"
}

JWT Token Signature:

HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  secret)

Sample JWT token

1562

SDK uses this JWT token as part of the header (Authorization) for all API requests, Find an example below.

📘

URL : https://devrtm.imiconnect.com/rtmsAPI/api/v1/app/{appid}/setuserid

Headers: Authorization: Bearer

Body:
{
"clientId" : "AP09092338/2315/v2_22315c49b793ad39",
"userId" : "2315"
}

App creation

On app creation, app profiles API accepts the payload (including jwt_secretkey) from IMIconnect and it will be stored in mongo (apps collection)

Validating JWT token using SDK API request

  1. When SDK invokes the gateway API, It accepts the request from SDK with JWT token specified in Authorisation header.
  2. It extracts the appId from the request and loads the app information. Then it gets the JWT secret Key configured in the app.
  3. Request is validated for that JWT token with that of secret Key.
  4. If resulted that the token is valid then it will be forwarded for further processing.
  5. It will be validated with appId, userid/customerid against payload extracted from JW, else rejected with an error code.

The response format is as follows:

{
  “code”:”38”,
  “status”:”Invalid token” 
}

Error codes and format

38 - Invalid token
39 - Token is required to access the requested resource.
40 - Token expired

Copyright © 2000 - 2021 IMImobile Limited | All Rights Reserved