Generating JWT Request (Secure mode)
Before you proceed, you should have Application ID, Secret Key, Method Name and parameters of the service
which will go into Payload.
- You can find libraries for generating JWT token for your platform here: http://jwt.io/#libraries-io.
- Please refer to the Plugins\XcellenceIt.Plugin.Misc.WebApiClient\Sample\Example.html file included in the plug-in which has implemented the same using Java Script.
For Example Login Method Token can be generated using below parameters:
[Note: In 4.00 we are sending APISecretKey in header as shown in below figure and not in request parameters]
- AppId – Used to verify request.
- IAT – The time the JWT was issued. Can be used to determine the age of the JWT.
- exp – This will probably be the registered claim most often used. This will define the expiration in NumericDate value. The expiration MUST be after the current date/time in UNIX format [Set exp(expiration) to not more than 5 minutes].
- method – Method name which want to call.
According to method, pass required request parameters for method you're calling.
Once you have all the details, utilize the libraries to generate JWT and then make requests to the Web Services using the JWT Request Token.
Important notes for ensuring Security of the Requests:
- Always calculate JWT using back-end programming language before sending an API Request for Production use
- Always make your call using HTTPS
- Make sure to disable Debug mode of the plug-in on production environment
- Monitor your System Logs for logging for Token expiration or Signature Mismatch, that may give you some hint if someone is trying to hack into your site using API.