Authenticating with Rollout

Make sure to always generate Rollout Consumer JWTs on your server in order to keep your Client Secret secure

Partners authenticate with Rollout by means of a privately signed JWT, using the HS512 algorithm. The JWT is required for rendering Rollout UI components or for making requests to your Project Environment's API endpoints.

A Rollout JWT is valid for a specific Consumer and Rollout environment. In order to generate a signed JWT, you'll need the Consumer Token Signing Secret which can be found under the "API" tab of the environment for which you'd like to generate a JWT in the Rollout dashboard.

JWT claims#

issstringIssuer: Indicates the entity that issued the token. You can use any arbitrary identifier, such as your company's domain.
substringSubject: A unique ID (i.e. the consumerKey) for a Consumer. Should be consistent across components and requests pertaining to a given Consumer
iatintegerIssued At: UNIX timestamp denoting when the token was issued
expintegerExpires: UNIX timestamp denoting when the token expires
rollout.comobjectSee below

Rollout-specific claims#

Non-standard, Rollout-specific claims can be provided under the key.

authDataobjectIn case you are using JWT Authentication, this is where you can pass in the Consumer's auth data

Token Generation Javascript Code Example#

const TOKEN_TTL_SECS = 3600;
function generateRolloutConnectToken(userId) {
const nowSecs = Math.round( / 1000);
return jsonwebtoken.sign(
iss: process.env.ROLLOUT_CLIENT_ID, // Provided in the Rollout dashboard
sub: userId, // Persistent identifier for the consuming user. Must be a string
exp: nowSecs + TOKEN_TTL_SECS, // Token expiration
process.env.ROLLOUT_CLIENT_SECRET, // Provided in the Rollout dashboard
{ algorithm: "HS512" }