JSON Web Token¶
We use JWT as our access token format. This means you can decode the access token locally to get some information about the user that the token belongs to. This only contains non-sensitive data like user ID, username and the scopes that the token is valid for.
This functionality is useful because there is no extra API call needed to retrieve user data. This makes the authentication portable between clients, APIs and even authentication services.
You can use the
check-token endpoint of the authentication API to get the contents of a JWT back as response.
Check the reference documentation for details.
You can use any of the JWT client libraries for your language to decode the JWT using our public key. Most libraries have a
decode method available that takes the JWT and public key (also called secret) as parameters. An example in python is:
import jwt # comes from the PyJWT library, available using `pip install PyJWT` jwt.decode("JWT_TOKEN", "PUBLIC_KEY", algorithms=["RS512"])
In order to decode the token offline, you must download our public key from
We recommend downloading the public key dynamically and not caching it for too long as it might change at any time.
We use the
RS512 encryption method to encode the JWT on our servers. You must use the same method to decode it again.