Session tokens are security credentials that authenticate users within the JTL platform ecosystem. They allow apps to interact with protected JTL services on behalf of the authenticated user without requiring repeated login procedures. This page explains how to retrieve and use session tokens within your app implementations to enable secure communication with JTL backend services.
The getSessionToken function is exposed through the appBridge API, enabling apps to access the current user's session information in a secure manner.
Returns the current user's session token, which can be used for authentication with JTL backend services.
A JSON Web Token (JWT) containing user session details divided into the standard three parts: header, payload, and signature.
The session token returned by getSessionToken is a JSON Web Token (JWT) that contains essential information about the current user session. This token follows the standard JWT format with three parts: header, payload, and signature.
A decoded session token has the following structure:
{
"header": {
"alg": "EdDSA",
"typ": "JWT"
},
"payload": {
"exp": 1746616503,
"userId": "<UUID>",
"tenantId": "<UUID>",
"kid": "<string>"
},
"signature": "fwjol6pXYkS7sXQzRqqbySw9yBRCdKkc6h_ekq5j0TZEbemCpISFeIZn1RNr2vJhbIlsqeaUBjshVGMkoOECBA"
}alg: The algorithm used for signing the token (in this case, EdDSA - Edwards-curve Digital Signature Algorithm)typ: The type of token, which is standard "JWT"
exp: Expiration timestamp (Unix time) after which the token is no longer validuserId: Unique identifier for the authenticated user in the cloud-identity-providerkid: The customerId from the jtl customer servicetenantId: Identifier for the current tenant/organization the user belongs to
The signature is used to verify that the token hasn't been altered after being issued. It's created by signing the base64Url encoded header and payload using the algorithm specified in the header.
The session token is provided in an encoded format that you may need to decode for debugging or validation purposes. Here's how you can decode a JWT token:
function decodeJWT(token) {
const parts = token.split('.');
if (parts.length !== 3) {
throw new Error('Invalid JWT format');
}
// Decode header and payload
const header = JSON.parse(atob(parts[0]));
const payload = JSON.parse(atob(parts[1]));
return {
header,
payload,
signature: parts[2]
};
}
// Usage
const decodedToken = decodeJWT(sessionToken);
console.log(decodedToken.payload.userId);For development purposes, you can use online tools like jwt.io to decode and inspect JWT tokens. Simply paste the token into the debugger to see its contents.
Note: Never share production JWTs with third-party services, as they contain sensitive information.
To use the token in an authenticated request, take a look at the api-gateway!