Handle and store JWTs

This article gives some instructions and best practices for handling and storing JSON Web Token (JWT) license tokens in your client application.

Validate JWTs

When your client application receives the JWT, validate the content:

  • Match the hardware ID of the device on which the application is running against the hardware ID in the stored JWT.

  • Check that the JWT is valid: that the current time is between the iat and exp timestamps.

  • If the license is being consumed by a user, check that the user in the JWT sub (or iss) field matches the user information received at user authentication (for example, from the ID token).

  • If the license is being consumed by a device client, check that the JWT sub (or iss) field specifies the unique ID of the correct device client. 10Duke Enterprise returns the unique ID when the device client is created by accepting the invitation.

  • Check that the licensed item in the JWT applies to the feature or functionality in the client application that the user or device client is trying to access.

Verify the signature of JWTs

When 10Duke Enterprise grants a JWT license token, it signs the token using a private key. When your client application receives the JWT, the application validates the signature using the corresponding public key to ensure that the token is genuine.

Your application should also always verify the JWT signature when it reads the token from the storage.

You can find the public key at https://<your 10Duke Enterprise instance>/.well-known/jwks.json.

For security reasons, we recommend that you don’t hardcode the public key in the client application. The client application should always fetch the public key from 10Duke Enterprise, which enables rolling of the keys as needed.

For verifying the signature of tokens, you can find libraries for various platforms and languages on the website.

Recommendations on storing JWTs

If the JWT has a short validity time, it’s sufficient to save it in the client application memory.

However, if the JWT has a longer validity time and needs to be valid also after restarting the client application, we recommend that you save it in the registry or on disk. If possible, use a safe location where any application-specific data is stored.