|
| 1 | +--- |
| 2 | +title: 'JWT Handshake' |
| 3 | +description: 'Use a customized login flow to authenticate users' |
| 4 | +--- |
| 5 | + |
| 6 | +<Info> |
| 7 | + This is the documentation for the JWT **Authentication** Handshake. The steps for setting up the [JWT **Personalization** Handshake](/settings/authentication-personalization/personalization/jwt) are slightly different. |
| 8 | +</Info> |
| 9 | + |
| 10 | +If you don’t have a dashboard, or if you want to keep your dashboard and docs completely separate, you can use your own login flow to authenticate users via a JWT in the URL. |
| 11 | + |
| 12 | +## Implementation |
| 13 | + |
| 14 | +<Steps> |
| 15 | + <Step title="Generate a private key"> |
| 16 | + Go to your [Mintlify dashboard settings](https://dashboard.mintlify.com/mintlify/mintlify/products/authentication) and generate a private key. Store this key somewhere secure where it can be accessed by your backend. |
| 17 | + </Step> |
| 18 | + <Step title="Create a login flow"> |
| 19 | + Create a login flow that does the following: |
| 20 | + - Authenticate the user |
| 21 | + - Create a JWT containing the authenticated user's info in the [UserInfo](../sending-data) format |
| 22 | + - Sign the JWT with the secret key, using the EdDSA algorithm |
| 23 | + - Create a redirect URL back to your docs, including the JWT as the hash |
| 24 | + </Step> |
| 25 | + <Step title="Configure your User Auth settings"> |
| 26 | + Return to your [Mintlify dashboard settings](https://dashboard.mintlify.com/mintlify/mintlify/products/authentication) and add the login URL to your User Auth settings. |
| 27 | + </Step> |
| 28 | +</Steps> |
| 29 | + |
| 30 | +## Example |
| 31 | + |
| 32 | +I want to set up authentication for my docs hosted at `docs.foo.com`. I want my docs |
| 33 | +to be completely separate from my dashboard (or I don’t have a dashboard at all). |
| 34 | + |
| 35 | +To set up authentication with Mintlify, I go to my Mintlify dashboard and generate a |
| 36 | +JWT secret. I create a web URL `https://foo.com/docs-login` that initiates a login flow |
| 37 | +for my users. At the end of this login flow, once I have verified the identity of the user, |
| 38 | +I create a JWT containing the user’s custom data according to Mintlify’s specification. |
| 39 | +I use a JWT library to sign this JWT with my Mintlify secret, create a redirect URL of the |
| 40 | +form `https://docs.foo.com/login/jwt-callback#{SIGNED_JWT}`, and redirect the user. |
| 41 | + |
| 42 | +I then go to the Mintlify dashboard settings and enter `https://foo.com/docs-login` for the |
| 43 | +Login URL field. |
| 44 | + |
| 45 | +Here's what the code might look like: |
| 46 | + |
| 47 | +<CodeGroup> |
| 48 | +```ts |
| 49 | +import * as jose from 'jose'; |
| 50 | +import { Request, Response } from 'express'; |
| 51 | + |
| 52 | +const TWO_WEEKS_IN_MS = 1000 * 60 * 60 * 24 * 7 * 2; |
| 53 | + |
| 54 | +const signingKey = await jose.importPKCS8(process.env.MINTLIFY_PRIVATE_KEY, 'EdDSA'); |
| 55 | + |
| 56 | +export async function handleRequest(req: Request, res: Response) { |
| 57 | + const userInfo = { |
| 58 | + expiresAt: Math.floor((Date.now() + TWO_WEEKS_IN_MS) / 1000), // 2 week session expiration |
| 59 | + groups: res.locals.user.groups, |
| 60 | + content: { |
| 61 | + firstName: res.locals.user.firstName, |
| 62 | + lastName: res.locals.user.lastName, |
| 63 | + }, |
| 64 | + }; |
| 65 | + |
| 66 | + const jwt = await new jose.SignJWT(userInfo) |
| 67 | + .setProtectedHeader({ alg: 'EdDSA' }) |
| 68 | + .setExpirationTime('10 s') // 10 second JWT expiration |
| 69 | + .sign(signingKey); |
| 70 | + |
| 71 | + return res.redirect(`https://docs.foo.com#${jwt}`); |
| 72 | +} |
| 73 | +``` |
| 74 | + |
| 75 | +```python |
| 76 | +import jwt # pyjwt |
| 77 | +import os |
| 78 | + |
| 79 | +from datetime import datetime, timedelta |
| 80 | +from fastapi.responses import RedirectResponse |
| 81 | + |
| 82 | +private_key = os.getenv(MINTLIFY_JWT_PEM_SECRET_NAME, '') |
| 83 | + |
| 84 | +@router.get('/auth') |
| 85 | +async def return_mintlify_auth_status(current_user): |
| 86 | + jwt_token = jwt.encode( |
| 87 | + payload={ |
| 88 | + 'exp': int((datetime.now() + timedelta(seconds=10)).timestamp()), # 10 second JWT expiration |
| 89 | + 'expiresAt': int((datetime.now() + timedelta(weeks=2)).timestamp()), # 1 week session expiration |
| 90 | + 'groups': ['admin'] if current_user.is_admin else [], |
| 91 | + 'content': { |
| 92 | + 'firstName': current_user.first_name, |
| 93 | + 'lastName': current_user.last_name, |
| 94 | + }, |
| 95 | + }, |
| 96 | + key=private_key, |
| 97 | + algorithm='EdDSA' |
| 98 | + ) |
| 99 | + |
| 100 | + return RedirectResponse(url=f'https://docs.foo.com/login/jwt-callback#{jwt_token}', status_code=302) |
| 101 | +``` |
| 102 | +</CodeGroup> |
0 commit comments