Using a JWT Token for Mobile Authorization
Implement your own authorization mechanism for API access for online mobile SDKs
Implement your own authorization mechanism for API access for online mobile SDKs
While the value of mobile_api_key you set in your secrets.json in the Configuration section provides a convenient way of authorizing requests to the server for mobile SDKs, at some point you might need to authorize users based on your own needs before they can access the SenseCrypt server APIs.
In another scenario, you might not wish to expose your mobile_api_key as a hard coded configuration parameter in your code and, instead, would prefer to authorize user's based on your own needs.
A JSON Web Token (JWT) provides a convenient mechanism to address these scenarios.
In the example below, it is assumed you have already authorized yourself using you api_key as was shown in the previous section.
To generate a JWT, expand the /gen-jwt section and then click the Try it out button as shown below:
This will enable the following data to be editable:
The instance_id can be used to generate JWT tokens for a particular mobile device (the mobile SDKs provide a mechanism to get the ID for a device, this device ID should be used as a value for the instance_id parameter).
If you need a generic JWT which is not bound to a device, you can use an empty body as shown below.
While this will work, it is recommended that you generate tokens for specific devices for better security.
The API call returns the JWT token. Now you can initialize the online mobile SDKs with the value Bearer your_jwt_token instead of using the mobile_api_key for auth.
By default the lifetime of JWT tokens is 5 mins. You can change this by changing the configured value of jwt_expire_seconds in your server's configuration.
For better security, you can also change the value of jwt_secret to some value that only you know.
