Skip to main content
The JTL platform uses different credentials and tokens depending on the integration type and API. This page explains what each one is, when to use it, and how to manage it. To obtain these tokens, see the OAuth 2.0 Flow page.

Credentials and Tokens at a Glance

Credential / TokenWhat it isWhere you get itLifetime
Client IDYour app’s public identifierPartner Portal (after registration)Permanent (can regenerate)
Client SecretYour app’s private key for authenticationPartner Portal (shown once at registration)Permanent (can regenerate)
Access Token (JWT)Short-lived token for authenticating API requestsToken endpoint (client credentials grant)~1 hour
Session TokenShort-lived token identifying the current merchant and userApp Shell (via AppBridge)Short-lived
API Key (OnPremise)Permanent key for local ERP API accessJTL-Wawi desktop registration flowPermanent
SCX Auth TokenShort-lived token for SCX Channel API requestsSCX auth endpoint~1 hour

Client Credentials

Client credentials identify your app on the JTL platform. Every registered app receives a pair: a Client ID (public) and a Client Secret (private). Together, they’re used to request access tokens from JTL’s identity provider.

Client ID

Your app’s public identifier. It’s safe to include in logs and non-sensitive contexts. The Partner Portal displays it on your app’s detail page, and you can view it at any time.

Client Secret

Your app’s private key, used alongside the Client ID to generate access token for your app. The Partner Portal displays it only once, immediately after registration.
The Client Secret is shown only once. Copy and store it securely at the moment of registration. If you lose it, you’ll need to regenerate it.

Regenerating a Lost Secret

If you lose your Client Secret, regenerate it in the Partner Portal by creating a new app:
  1. Log in to the Partner Portal
  2. Click the + Create button. You’ll see a manifest editor with prefilled example
  3. Replace the example manifest with the contents of your manifest.json file
  4. Click the Register App and copy the new Client Secret
  5. Update the secret in your app’s environment variables and redeploy.

Storage Best Practices

DoDon’t
Store in environment variables (.env, .env.local)Hardcode in source code
Use a secrets manager in production (AWS Secrets Manager, HashiCorp Vault, etc.)Commit .env files to version control
Restrict access to credentials to team members who need themShare credentials in chat, email, or tickets
Rotate the secret if you suspect it’s been compromisedReuse the same credentials across multiple apps

Access Token (JWT)

The access token is what your backend uses to authenticate API requests to JTL. You obtain it by sending your client credentials to JTL’s token endpoint via the client credentials grant.

Token Response

When you request an access token, JTL returns: 
{
	"access_token": "eyJhbGciOiJSUzI1NiIsImt.......",
	"expires_in": 3599,
	"scope": "",
	"token_type": "bearer"
}
FieldTypeDescription
access_tokenstringThe JWT to include in API request headers
expires_innumberSeconds until the token expires (3599 ≈ 1 hour)
scopestringThe granted scopes
token_typestringAlways bearer: include as Authorization: Bearer <token>

Using the Access Token

Include it in the Authorization header of every API request: 
Authorization: Bearer eyJhbGciOiJSUzI1NiIsImt.......

Token Lifecycle

Access tokens expire in approximately 1 hour (expires_in: 3599). Handle this as follows:
  • Cache the token: Don’t request a new one for every API call
  • Track expiry: Store the expires_in value and request a new token before it expires (for example, when less than 5 minutes remain)
  • Handle 401 responses: A 401 Unauthorized response typically means the token has expired. Request a new one and retry the request once.

Session Token

Session tokens are issued by the App Shell and identify which merchant (tenant) and user is currently interacting with your app. They are only relevant for Cloud Apps that run inside the App Shell. Unlike access tokens (requested by your app), session tokens come from the host environment. The App Shell passes them to your app through AppBridge, a lightweight SDK that handles session tokens, method calls, and events. For implementation details on retrieving and verifying session tokens, see Cloud Apps: Authentication & Login.

Decoded Structure

A session token is a JWT with three parts: header, payload, and signature. 
{
	"header": {
		"alg": "EdDSA",
		"typ": "JWT"
	},
	"payload": {
		"exp": 1746616503,
		"userId": "<UUID>",
		"tenantId": "<UUID>",
		"tenantSlug": "<string>",
		"kid": "<string>"
	},
	"signature": "fwjol6pXYkS7sXQ..."
}
FieldValueDescription
algEdDSAEdwards-curve Digital Signature Algorithm (the signing algorithm)
typJWTStandard JWT type identifier

Payload

FieldTypeDescription
expnumberExpiration timestamp (Unix time). The token is invalid after this time
userIdstring (UUID)Unique identifier of the authenticated user
tenantIdstring (UUID)Identifier of the merchant’s tenant. Send this as the X-Tenant-ID header on every ERP API request
tenantSlugstringHuman-readable tenant identifier
kidstringKey identifier from the JTL customer service

Signature

The signature ensures the token has not been tampered with. Your backend verifies it using JTL’s public keys, fetched from the JWKS endpoint.

Verification

Session tokens must be verified server-side using JTL’s public keys:
  • Your backend requests an access token (client credentials grant)
  • Using that access token, it fetches JTL’s public keys from the JWKS endpoint (https://api.jtl-cloud.com/account/.well-known/jwks.json)
  • It uses the public key to verify the session token’s signature
  • If the signature is valid, the payload (tenantId, userId, etc.) can be trusted
Never trust a session token without verifying it server-side. A token received from the client (frontend) could be tampered with. Always verify the signature against the JWKS public key before acting on the payload.

API Key (OnPremise)

API keys are permanent credentials used only in the OnPremise deployment model. They are generated through a two-step registration process in the JTL-Wawi desktop application.

Key Characteristics

PropertyValue
FormatUUID (e.g. 00000000-0000-0000-0000-000000000000)
LifetimePermanent (does not expire unless revoked)
ShownOnce, at the time of creation
Header formatAuthorization: Wawi <API-Key>
ScopeLocal to the Wawi installation where it was registered
Like the Client Secret, the API key is displayed only once during registration. Store it securely immediately. If lost, you will need to go through the registration process again.
For the full OnPremise registration flow, see OAuth 2.0 Flow (OnPremise tab).

Token Comparison

Access TokenSession TokenAPI KeySCX Auth Token
Used byCloud apps (backend)Cloud apps (frontend to backend)OnPremise appsMarketplace channels
FormatJWT (Bearer)JWT (EdDSA)UUIDJWT (Bearer)
Lifetime~1 hourShort-livedPermanent~1 hour
How to getClient credentials grantAppBridge (getSessionToken)Wawi registrationSCX auth endpoint
Refresh mechanismRe-request with credentialsRe-request via AppBridgeN/A (permanent)Re-request with credentials
Verify server-side?No (trusted issuer)Yes (JWKS)N/A (you created it)No (trusted issuer)

Inspecting Tokens for Debugging

During development, you may need to decode a JWT to inspect its contents: 
import { jwtVerify, importJWK, decodeProtectedHeader } from 'jose';

export async function verifySessionToken(sessionToken: string) {
	const response = await fetch(
		'https://api.jtl-cloud.com/account/.well-known/jwks.json',
	);

	if (!response.ok) {
		throw new Error(`Failed to fetch JWKS (${response.status})`);
	}

	const jwks = await response.json();

	const { kid } = decodeProtectedHeader(sessionToken);
	if (!kid) {
		throw new Error('Missing kid');
	}

	const jwk = jwks.keys.find((k: any) => k.kid === kid);
	if (!jwk) {
		throw new Error('No matching JWK');
	}

	const publicKey = await importJWK(jwk, 'EdDSA');

	const { payload } = await jwtVerify(sessionToken, publicKey, {
		algorithms: ['EdDSA'],
		issuer: 'https://api.jtl-cloud.com',
	});

	return payload;
}
For quick inspection during development, paste your token into jwt.io. It decodes the header and payload instantly. Do not paste production tokens or any sensitive credentials into third-party tools.

Next Steps

Scopes & Permissions

Understand which API scopes are available and how to request the right level of access.

OAuth 2.0 Flow

How to obtain access tokens, API keys, and SCX auth tokens.

Cloud Apps: Authentication

Implementation guide for session tokens, AppBridge, and the setup handshake in Cloud Apps.

Error Handling

How to handle auth errors, expired tokens, and 401 responses.