Verify the JWT received by the secure endpoint | Community
Skip to main content

Verify the JWT received by the secure endpoint

  • April 9, 2023
  • 4 replies
  • 0 views
lomo

Hi,

Im building a zendesk app and have a question regrading the validation procedure for the JWT token received with signedUrls: true.

according to the documentation here:

https://developer.zendesk.com/documentation/apps/build-an-app/building-a-server-side-app/part-5-secure-the-app/#getting-your-zendesk-apps-public-key-and-installation-id

i need the user name and password of a user in the instance in order to obtain the public key of the app and the installation id... 

however, when published to the marketplace our app will be installed on different instances for which we obv don't have a user name or password.. 

can we expect the public key not to be changed or i'm missing something?

 

    4 replies

    Greg29
    • Greg29
    • April 10, 2023

    Hi Itay! That's a good question and it seems that this is not something that we have clearly documented, so apologies for that. 

    When you're creating an installing an app, there are two IDs that exist: 1) the installation_id, which is specific to the version installed in each instance and 2) the app_id, which is the unique identifier for the app regardless of how many instances it is installed in. When you use the signed URLs functionality, you are using the app_id, which means that it will be the same in all instances that it is installed into. If you would like to test this, you can use the preview app functionality, so that you can share it with another instance before you publish it to the marketplace.

    Let us know if you have any other questions!

    lomo
    • lomo
    • Author
    • April 10, 2023

    thanks for the answer greg. but in order to validate the jwt i need to get the public key of the app from this url:
    curl https://{subdomain}.zendesk.com/api/v2/apps/{app_id}/public_key.pem
    and this url is protected by user name and password which i dont have for this subdomain...
    can i assume that the public key is shared across all instances as well?

    Greg29
    • Greg29
    • April 10, 2023
    Yep, the public key will be the same for all instances! And when you need to request the installation_id further on, you can use the client.metadata() object to get that information. Since the request is being made from their sidebar instance, it uses their credentials to return that data.
    lomo
    • lomo
    • Author
    • April 10, 2023

    Thanks again for the fast response Greg. one more question on the installation_id.

    i need the installation_id on the backend side not in the client side. 

    if i use the client.metadata() and send it to the server so it obviously won't be secured that the server relies on the installation id provided by the client itself..

    how should i get in the backend without relying on the client?

     

    Terms & ConditionsCookie settingsAccessibility statement