JWT-Based Authentication for Silent Login
Partners can allow advertisers to access the GoWit panel without a password prompt by issuing a signed JSON Web Token (JWT). The token conveys the advertiser context and is validated by the platform before granting access.
How It Works
- Partner signs a JWT using the shared secret
- Use an approved algorithm (HS256).
- Include advertiser context
- Example claims:
sub: advertiser IDiat: issued‑at timestampexp: expiration timestamp
- Example claims:
- Redirect to GoWit
- Attach the JWT as a query parameter or Authorization header in the redirect URL.
- GoWit validates the token
- Confirms signature, algorithm, expiration, and context before allowing access.
Security Requirements
- Token TTL
- Keep the lifetime short (e.g., ≤5 minutes) and ensure the
expclaim is present.
- Keep the lifetime short (e.g., ≤5 minutes) and ensure the
- Approved Algorithm
- Only HMAC‑SHA256 (
HS256) is supported. Any otheralgvalue will cause validation to fail.
- Only HMAC‑SHA256 (
- Shared Secret Management
- Exchange the secret through a secure channel and rotate it periodically.
- Audience / Issuer (optional)
- If you manage multiple environments, add
audandissclaims to pin the token to the intended service.
- If you manage multiple environments, add
Common Pitfall: Time Drift
Token validation is time‑sensitive. Even small clock differences can cause otherwise valid tokens to be rejected.
- Sync servers to an NTP source (e.g.,
ntp.org). - Monitor for drift and adjust automatically (using tools like
chronyorsystemd-timesyncd). - When debugging, check the server time against an external source before investigating other causes.