Hello,
I am currently integrating my application via the Pipedrive development space.
I’m using a JSON Panel to display certain information from my software, but it turns out I am required to enter either (HTTP Auth username / HTTP Auth password) or (JWT secret), knowing that when my user needs to automatically connect to my API when they install my application from the Marketplace.
I would therefore like to understand how the JWT Secret works because I haven’t really grasped its utility. 
Hi @Romain,
token is generated on our side and will be sent as a query param to the API endpoint that is defined for your JSON panel.
Besides the validation of the request, JWT identifies which user and PD company is loading the app extension.
In Node.js request handler might include the following code:
import jwt from 'jsonwebtoken';
const token = ... // get token from query params
try {
const { userId, companyId } = jwt.verify(token, SECURELY_STORED_SECRET);
...
} catch (error) { ... }
You can learn more about JWT from official docs JSON Web Token Introduction - jwt.io or let me know if you have more questions.
So I just need to generate a JWT secret on jwt.io or do it in PHP and put it in the Pipedrive Json Modal?
Hi @Romain,
You need to generate JWT secret, save it privately and put it into added JSON app extension. This secret now can be used to verify JWT token on the request from Pipedrive to your API endpoint.
In PHP library (GitHub - firebase/php-jwt: PHP package for JWT) there is no verify method, but it’s still throwing an SignatureInvalidException if token verification failed on decode.
use Firebase\JWT\JWT;
use Firebase\JWT\Key;
use Firebase\JWT\SignatureInvalidException;
$secret = ... // get secret from env variables
try {
$key = new Key($secret, 'HS256');
JWT::decode($jwt, $key);
// continue
} catch (SignatureInvalidException $exception) {
// failed to verify JWT token
}
This topic was automatically closed after 60 days. New replies are no longer allowed.