Handle and store JWTs
This article gives some instructions and best practices for handling and storing JSON Web Token (JWT) license tokens in your client application.
Validate JWTs
When your client application receives the JWT, validate the content:
-
Match the hardware ID of the device on which the application is running against the hardware ID in the stored JWT.
-
Check that the JWT is valid: that the current time is between the
iat
andexp
timestamps. -
Check that the user in the JWT
sub
(oriss
) field matches the user information received at user authentication (for example, from the ID token). -
Check that the licensed item in the JWT applies to the feature or functionality in the client application that the user is trying to access.
Verify the signature of JWTs
When 10Duke Enterprise grants a JWT license token, it signs the token using a private key. When your client application receives the JWT, the application validates the signature using the corresponding public key to ensure that the token is genuine.
Your application should also always verify the JWT signature when it reads the token from the storage.
You can find the public key at https://<your 10Duke Enterprise instance>/.well-known/jwks.json
.
For security reasons, we recommend that you don’t hardcode the public key in the client application. The client application should always fetch the public key from 10Duke Enterprise, which enables rolling of the keys as needed.
For verifying the signature of tokens, you can find libraries for various platforms and languages on the jwt.io website.
Recommendations on storing JWTs
If the JWT has a short validity time, it’s sufficient to save it in the client application memory.
However, if the JWT has a longer validity time and needs to be valid also after restarting the client application, we recommend that you save it in the registry or on disk. If possible, use a safe location where any application-specific data is stored.