Authenticating with Rollout
Make sure to always generate Rollout Consumer JWTs on your server in order to keep your Client Secret secure
Partners authenticate with Rollout by means of a privately signed JWT, using the HS512 algorithm. The JWT is required for rendering Rollout UI components or for making requests to your Project Environment's API endpoints.
A Rollout JWT is valid for a specific Consumer and Rollout environment. In order to generate a signed JWT, you'll need the Consumer Token Signing Secret which can be found under the "API" tab of the environment for which you'd like to generate a JWT in the Rollout dashboard.
JWT claims#
| Claim | Required | Type | Description |
|---|---|---|---|
iss | ✅ | string | Issuer: Indicates the entity that issued the token. You can use any arbitrary identifier, such as your company's domain. |
sub | ✅ | string | Subject: A unique ID (i.e. the consumerKey) for a Consumer. Should be consistent across components and requests pertaining to a given Consumer |
iat | ✅ | integer | Issued At: UNIX timestamp denoting when the token was issued |
exp | ✅ | integer | Expires: UNIX timestamp denoting when the token expires |
rollout.com | object | See below |
Rollout-specific claims#
Non-standard, Rollout-specific claims can be provided under the rollout.com key.
| Claim | Required | Type | Description |
|---|---|---|---|
authData | object | In case you are using JWT Authentication, this is where you can pass in the Consumer's auth data |
Token Generation Javascript Code Example#
const TOKEN_TTL_SECS = 3600;function generateRolloutConnectToken(userId) {const nowSecs = Math.round(Date.now() / 1000);return jsonwebtoken.sign({iss: process.env.ROLLOUT_CLIENT_ID, // Provided in the Rollout dashboardsub: userId, // Persistent identifier for the consuming user. Must be a stringexp: nowSecs + TOKEN_TTL_SECS, // Token expiration},process.env.ROLLOUT_CLIENT_SECRET, // Provided in the Rollout dashboard{ algorithm: "HS512" });}