Access Tokens

When a user completes their authentication on the hosted auth page, they will be redirected back to your application. With this redirect, an access token is included that you can use to authenticate the user in your application.

The access token is a JWT which expires after seven days and is signed with the access token secret, that can be viewed in the User Management settings in the dashboard.

Validating the Token

To validate the token, you can use the JWT library for your language of choice.

const jwt = require('jsonwebtoken');
const secret = process.env.ANZU_ACCESS_TOKEN_SECRET;

function validateToken(token) {
  return new Promise((resolve, reject) => {
    jwt.verify(
      token,
      secret,
      { algorithms: ["HS256"] },
      (err, decoded) => {
        if (err) {
          reject(err);
        } else {
          resolve(decoded);
        }
      }
    );
  });
}
js

With some helper functions, you can read the Authorization header, validate the token, and return the user ID.

const app = require('express')();

async function getPostsByUser(userId) {
    // ...
    return [];
}

function authMiddleware() {
  return async (req, res, next) => {
    const authHeader = req.headers['authorization'];
    if (!authHeader) {
      return res.status(401).send('No token provided.');
    }
    
    const token = authHeader.replace('Bearer ', '');

    try {
      const decoded = await validateToken(token);
      req.userId = decoded.sub;
      next();
    } catch (err) {
      return next(err);
    }
  };
}

function currentUserId(req) {
    return req.userId;
}

app.use(authMiddleware());

app.get("/posts", async (req, res) => {
    const userId = currentUserId(req);
    const posts = await getPostsByUser(userId);
    res.send(posts);
});

app.listen(3000);
js

Token Payload

The token encodes the following information:

{
  "alg": "HS256",
  "typ": "JWT",
  "kid": "<environmentId>"
}
json

The payload looks like the following:

{
  "iat": 1662209363,
  "exp": 1662814163,
  "iss": "api.anzuhq.com",
  "sub": "<userIdentityId>",
  "jti": "<accessTokenId>"
}
json

Related

User Identities

Understanding User Identities

Access Tokens

Using access tokens to authenticate users in your application

Hosted Page

Using and customizing the hosted auth page