Authenticating requests with JSON Web Tokens (JWT)
JSON Web Tokens (JWT) can be used to authenticate JS SDK requests from recognized customers. This provides a way to identify customers before authorizing requests that modify personal data.
By default, the form.submit
events require JWT authentication. If you want to enable this for other events, see Event authentication settings.
The tokens are generated by your backend.
Synerise requires a JWT encoded with the RS256 algorithm (this is not the default algorithm used by the jwt.io debugger).
Prerequisites:
A public RSA key must be added to Synerise.
- Go to Data Management > Events.
- On the JS SDK event settings tab, in the Certificate section, click Define.
- If a certificate is already added, perform one of the following actions
- Keep using the existing certificate, no further actions are required.
- Overwrite the existing certificate by continuing to step 4.
WARNING: Overwriting a certificate requires providing the new certificate in your backend implementation! JWT tokens signed with the old certificate are rejected!
- Open the terminal.
- Generate public and private RSA keys by using these commands:
openssl genpkey -out private.pem -algorithm RSA -pkeyopt rsa_keygen_bits:2048
openssl pkcs8 -topk8 -inform pem -in private.pem -outform DER -nocrypt -out private.der
openssl rsa -pubout < private.pem > public.pem
- Perform one of the following actions:
- To enter the certificate as text, in the Certificate code field paste the certificate with the header and footer.
The header and footer are:-----BEGIN PUBLIC KEY-----
;-----END PUBLIC KEY-----
Important: The pasted certificate cannot contain line breaks or spaces.Tip: To open the certificate in the terminal, you can usually usecat public.pem
in the root directory. - To upload the certificate as a file, click Upload Certificate > Upload certificate code and select a file from your computer.
- To enter the certificate as text, in the Certificate code field paste the certificate with the header and footer.
- Click Apply.
Implementation overview
This flowchart is a high-level overview of the JWT creation logic. Your implementation must cover all of these scenarios.
The details are described in this section.
Implementation details
When a customer provides their email (for example, when logging in), generate a JWT for the customer.
The provided email is used as customer_email
everywhere in this process.
Check if identity hash exists
- Initialize the JS SDK.
- Check the current identity hash by calling the
SR.client.getIdentityHash()
method. - Depending on the result, continue to one of these procedures:
- If the method returns an empty string, the hash does not exist. Follow this instruction.
- If the method returns a non-empty string, a hash exists. Follow this instruction.
If an identity hash does NOT exist
- Generate an identity hash by calling the
SR.client.hashIdentity("customer_email")
method. - From the
_snrs_uuid
cookie, retrieve the customer’s UUID. - Generate a JWT. In the payload, provide the
customer_email
and the UUID retrieved from the cookie.
For details, see this section. - Call the
SR.client.setUuidAndIdentityHash("email_hash", "customer_uuid")
method, where:
email_hash
is the hash you generated earlier withSR.client.hashIdentity("customer_email")
customer_uuid
is the customer UUID retrieved from the_snrs_uuid
cookie and encoded in the JWT
Result:
The customer can now send events that require JWT authentication.
If an identity hash exists
- Call the
SR.client.getIdentityHash()
method. - Call the
SR.client.hashIdentity("customer_email")
method. - Compare the returned values.
- If the values are identical, the identity matches the current customer. Follow this this instruction.
- If the values are different, the identity does not match the current customer. Follow this this instruction.
If the identity matches the current customer
- From the
_snrs_uuid
cookie, retrieve the customer’s UUID. - Generate a JWT. In the payload, provide the
customer_email
and the UUID retrieved from the cookie.
For details, see this section.
Result:
The customer can now send events that require JWT authentication.
If the identity does not match the current customer:
- Generate a new UUIDv5 using the
customer_email
.
For details, see this section. - Generate an identity hash by calling the
SR.client.hashIdentity("customer_email")
method. - Generate a JWT. In the payload, provide the
customer_email
and the UUID you generated. For details, see this section. - Call the
SR.client.setUuidAndIdentityHash("email_hash", "customer_uuid")
method, where:
email_hash
is the hash you generated earlier withSR.client.hashIdentity("customer_email")
customer_uuid
is the customer UUID retrieved from the_snrs_uuid
cookie and encoded in the JWT
Result:
The customer can now send events that require JWT authentication.
Generating JSON Web Tokens (JWT)
-
In the header, include the following data:
{ "alg": "RS256”, "typ": "JWT" }
-
In the payload, include the following data:
{ "exp": 1599737564, // expiry time as a UNIX timestamp, less than 7 days away "uuid": "af0a5e16-dc1f-5242-8b22-daf62c3cb78d", // customer's UUID "email": "customer.email@domain.com" // customer's email }
Important: The token lifetime cannot be longer than 7 days. -
Sign the token with the public and private keys.
-
Encode the token.
-
Apply the encoded token in one of the following ways:
- Store the token in the
_snrs_token
cookie. - Call the
SR.client.setAccessToken("token-as-a-string")
JS SDK method.
Result:
The JWT is stored assnr-token
in local storage. If you applied the token by using a cookie, the cookie is deleted. - Store the token in the
You may want to return to: