# Session Token

Session tokens are security credentials that authenticate users within the JTL platform ecosystem. They allow apps to interact with protected JTL services on behalf of the authenticated user without requiring repeated login procedures. This page explains how to retrieve and use session tokens within your app implementations to enable secure communication with JTL backend services.

## getSessionToken

The `getSessionToken` function is exposed through the [appBridge](/products/appregistration/appbridge) API, enabling apps to access the current user's session information in a secure manner.

### Description

Returns the current user's session token, which can be used for authentication with JTL backend services.

### Return Value

A JSON Web Token (JWT) containing user session details divided into the standard three parts: header, payload, and signature.

### Usage Example

The session token returned by `getSessionToken` is a JSON Web Token (JWT) that contains essential information about the current user session. This token follows the standard JWT format with three parts: header, payload, and signature.

### Token Structure

A decoded session token has the following structure:


```json
{
    "header": {
        "alg": "EdDSA",
        "typ": "JWT"
    },
    "payload": {
        "exp": 1746616503,
        "userId": "<UUID>",
        "tenantId": "<UUID>",
        "kid": "<string>"
    },
    "signature": "fwjol6pXYkS7sXQzRqqbySw9yBRCdKkc6h_ekq5j0TZEbemCpISFeIZn1RNr2vJhbIlsqeaUBjshVGMkoOECBA"
}
```

#### Header

- `alg`: The algorithm used for signing the token (in this case, EdDSA - Edwards-curve Digital Signature Algorithm)
- `typ`: The type of token, which is standard "JWT"


#### Payload

- `exp`: Expiration timestamp (Unix time) after which the token is no longer valid
- `userId`: Unique identifier for the authenticated user in the cloud-identity-provider
- `kid`: The customerId from the jtl customer service
- `tenantId`: Identifier for the current tenant/organization the user belongs to


#### Signature

The signature is used to verify that the token hasn't been altered after being issued. It's created by signing the base64Url encoded header and payload using the algorithm specified in the header.

### Decoding a JWT Token

The session token is provided in an encoded format that you may need to decode for debugging or validation purposes. Here's how you can decode a JWT token:

#### Using JavaScript


```javascript
function decodeJWT(token) {
  const parts = token.split('.');
  if (parts.length !== 3) {
    throw new Error('Invalid JWT format');
  }
  
  // Decode header and payload
  const header = JSON.parse(atob(parts[0]));
  const payload = JSON.parse(atob(parts[1]));
  
  return {
    header,
    payload,
    signature: parts[2]
  };
}

// Usage
const decodedToken = decodeJWT(sessionToken);
console.log(decodedToken.payload.userId);
```

#### Using Online Tools

For development purposes, you can use online tools like [jwt.io](https://jwt.io/) to decode and inspect JWT tokens. Simply paste the token into the debugger to see its contents.

> **Note:** Never share production JWTs with third-party services, as they contain sensitive information.


Using the token
To use the token in an authenticated request, take a look at the [api-gateway](/products/appregistration/api-gateway)!