• Select

  • Select

JWT Token Generation

Apollo SDKs need to be authenticated to provide access to the SDK to a designated user on the tenant app. This is achieved by passing a signed JWT token to the SDK. The private key used to sign the token is owned by the tenant. The corresponding public key is then used by Zeta’s backend to verify the token.

Generation of the tenantAuthToken should be done server-side as it involves signing the data with a private key. The private key should never be compromised. The details for this are shared in the email. This can later be accessed through the Apollo dashboards.

Note: There is a unique private key per SDK that is configured in Zeta’s backend.

For backend in Java

Pre-requisites

  1. Add following maven repo urls in the pom file of the project
Switch Theme
Expand More
Copy 
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

<project>
...
 <repositories>
 <repository>
 <id>apollo-maven</id>
 <name>Apollo maven</name>
 <url>https://apollo-sdk.zetaapps.in/repository/maven-releases/</url>
<username>my_login</username>
<password>my_password</password>
 </repository>
 <repository>
 <id>apollo-maven-snapshots</id>
 <name>Apollo maven snapshot</name>
 <url>https://apollo-sdk.zetaapps.in/repository/maven-snapshots/</url>
<username>my_login</username>
<password>my_password</password>
 </repository>
 </repositories>
...
</project>
Code Copied

Note: Use the same credentials, as shared for the Android SDK’s maven repo, to access the maven repository.

  1. Add the following dependency in the pom.xml file of your service.
Switch Theme
Expand More
Copy 
1
2
3

<groupId>in.zeta.apollo</groupId>x
  	<artifactId>tenant-commons</artifactId>
  	<version>1.1</version>
Code Copied

JWT Generation

Switch Theme
Expand More
Copy 
1
2
3
4

String jwtToken = AsymmetricJwtTokenGenerator.generateJWT(<<issuerId>>,                                   					<<base64EncodedPrivateKey>>,
                                 <<algorithm>>,
                                 <<claims>,
                                 <<expiryEpochTimeInMilliseconds>>);
Code Copied

Params:

  • issuerId: company domain. For eg zeta.in
  • base64EncodedPrivateKey: The private key owned by the tenant (Currently, provided by Zeta)
  • algorithm: Algorithm used for key-pair generation. Currently, only “EC” is supported
  • expiryEpochTimeInMilliseconds: expiry epoch time in milliseconds.
  • claims: Any claim that the tenant/consumer wants to add to jwt. Object type should be Map<String, Object> Sample claims map: { ‘tenantUniqueVectorId’: ‘’ }
  • tenantUniqueVectorId: This field is used to authenticate the SDK. The tenantUniqueVector should be a unique identity generated by the tenant. The same id is verified by the Zeta system (using the JWT authentication token given by the host app) while authenticating the SDK during registration.

Note: Please contact Zeta for any assistance required in deciding the ‘tenantUniqueVectorId’ values.

For backend in Python

For a backend written in Python PyJWT can come handy to generate teh signed JWT token. You can read the installation steps from the official doc. Here is a code snippet on how to use the library:

Switch Theme
Expand More
Copy 
1
2
3
4
5
6
7
8

def create_jwt_token(account_holder_id):
    iat = int(timezone.now().timestamp())
    valid_till_seconds = 10 * 60  # 10 minutes
    exp = iat + valid_till_seconds
    payload = {"iss": "<issuer_name>", "tenantUniqueVectorId": <tenantVecotId>, "iat": iat, "exp": exp}
    private_key = open(ZETA_CARD_JWT_PRIVATE_KEY_PATH, 'rb').read()
    token = jwt.encode(payload, key=private_key, algorithm='ES256').decode('utf-8')
    return token
Code Copied

For backend in Node.js

For backend in node.js, you can use the library node-jsonwebtoken. Here is a code snippet on how to generate the signed JWT token:

Switch Theme
Expand More
Copy 
1
2
3
4
5
6
7
8

var jwt = require('jsonwebtoken');
const fs = require('fs')

var privateKey = fs.readFileSync('privatekeyfile.txt');
console.log("The private key is: " + JSON.stringify(privateKey));

var token = jwt.sign({ foo: 'bar' }, privateKey, { algorithm: 'ES256' })
console.log("The token is: " + JSON.stringify(token));
Code Copied

The format of the Private key in the file should be a PEM format. A sample key would look like this:

Switch Theme
Expand More
Copy 
1
2
3
4
5

-----BEGIN PRIVATE KEY-----
MHcCAQEEIMzb6/TC9IzdsPZJ3m0O+WXWYfBNmkF8Y6KaHBUVtkkgoAoGCCqGSM49
<segment-2>
<segment-3>
-----END PRIVATE KEY-----
Code Copied

Note: Each line between the header and the footer should have a maximum of 64 characters.

Things to Remember

  • The JWT token must be generated and passed on to the SDK during runtime.
  • The private key should not be compromised in any case. Hence, the token generation logic should sit in the tenant’s backend.
  • You should always send a non-expired token while requesting authentication.