✨
BotProtection
  • What is BotProtection?
  • Backend integration
    • Architecture
    • Dashboard Description
  • Android usage
    • Installation
    • SDK usage (Kotlin)
  • iOS usage
    • Installation
  • JWT
  • JWT token
    • Python
    • NodeJS
  • Async method api
    • API Description
  • Example of integration
    • For market
Powered by GitBook
On this page
  • Why do we need a JWT token?
  • What is a JWT token?
  • Structure

Was this helpful?

JWT token

PreviousInstallationNextPython

Last updated 5 years ago

Was this helpful?

Why do we need a JWT token?

Client with an SDK gets a challenge from the BotProtection machine and then sends it to your backend server in an JWT token. In this way you can verify that challenge was not skipped and check BotProtection bot score with a label (bot or not a bot).

What is a JWT token?

JWT or JSON Web Token is an Internet standard for creating -based that assert some number of claims.

For example, a server could generate a token that has the claim "logged in as admin" and provide that to a client. The client could then use that token to prove that it is logged in as admin. The tokens are signed by one party's private key (usually the server's), so that both parties are able to verify that the token is legitimate. The tokens are designed to be compact, URL-safe, and usable especially in a web-browser single-sign-on (SSO) context. JWT claims can be typically used to pass identity of authenticated users between an identity provider and a service provider, or any other type of claims as required by business processes.

JWT relies on other JSON-based standards: and .

Structure

Header

{

"alg" : "HS256",

"typ" : "JWT"

}

Identifies which algorithm is used to generate the signature

HS256 indicates that this token is signed using HMAC-SHA256.

Typical cryptographic algorithms used are with (HS256) and with SHA-256 (RS256).

Payload

{

"challenge_id": "b5fbbb86-1c7e-4f78-bb8b-1a6f2f17b17d",

"result": 0.9494475560,

"iat": 1578597646, "exp": 1578597706

}

Contains a set of claims. The JWT specification defines seven Registered Claim Names which are the commonly included in tokens. Custom claims are usually also included, depending on the purpose of the token.

This example has the standard Issued At Time claim (iat) and the Expiration Time claim (exp). If exp time is less than the time token is checked, verification fails. challenge_id and result are custom fields which are used to get information about a passed challenge.

Signature

RSASHA256( base64urlEncoding(header)+ '.' + base64urlEncoding(payload), secret )

Securely validates the token. The signature is calculated by encoding the header and payload using and concatenating the two together with a period separator. That string is then run through the cryptographic algorithm specified in the header, in this case RSASHA256. The Base64url Encoding is similar to , but uses different non-alphanumeric characters and omits padding.

JSON
access tokens
JSON Web Signature
JSON Web Encryption
HMAC
SHA-256
RSA signature
standard fields
Base64url Encoding
base64