JSON Web Token

We use JWT as our access token format. This means you can decode the access token locally to get some information about the user that the token belongs to. This only contains non-sensitive data like user ID, username and the scopes that the token is valid for.

This functionality is useful because there is no extra API call needed to retrieve user data. This makes the authentication portable between clients, APIs and even authentication services.

Decoding

Online

You can use the check-token endpoint of the authentication API to get the contents of a JWT back as response. Check the reference documentation for details.

Offline

You can use any of the JWT client libraries for your language to decode the JWT using our public key. Most libraries have a decode method available that takes the JWT and public key (also called secret) as parameters. An example in python is:

import jwt  # comes from the PyJWT library, available using `pip install PyJWT`
jwt.decode("JWT_TOKEN", "PUBLIC_KEY", algorithms=["RS512"])

In order to decode the token offline, you must download our public key from https://account.ultimaker.com/public-key. We recommend downloading the public key dynamically and not caching it for too long as it might change at any time.

Info

We use the RS512 encryption method to encode the JWT on our servers. You must use the same method to decode it again.