Handle and store JWT license tokens

This article gives some instructions and best practices for handling and storing JSON Web Token (JWT) license tokens in your client application.

Validate JWTs

When your client application receives the JWT, validate the content:

  • Match the hardware ID of the device on which the application is running against the hardware ID in the stored JWT.

  • Check that the JWT is valid: that the current time is between the iat and exp timestamps.

  • If the license is being consumed by a user, check that the user in the JWT sub (or iss) field matches the user information received at user authentication (for example, from the ID token).

  • If the license is being consumed by a device client, check that the JWT sub (or iss) field specifies the unique ID of the correct device client. 10Duke Enterprise returns the unique ID when the device client is created by accepting the invitation.

  • Check that the licensed item in the JWT applies to the feature or functionality in the client application that the user or device client is trying to access.

Verify the signature of JWTs

When 10Duke Enterprise grants a JWT license token, it signs the token using a private key. When your client application receives the JWT, the application validates the signature using the corresponding public key to ensure that the token was granted by 10Duke Enterprise and the data hasn’t been tampered with.

Your application should also always verify the JWT signature when it reads the token from the storage.

You can find the public key at https://<your 10Duke Enterprise instance>/.well-known/jwks.json.

We recommend that client applications connected to the Internet always fetch the public key from 10Duke Enterprise, which enables rolling of the keys as needed. Client applications that are deployed in environments with no Internet access must store the public key in a safe location where any application-specific data is stored.

For verifying the signature of tokens, you can find libraries for various platforms and languages on the jwt.io website. You can also use the 10Duke Enterprise SDKs and client libraries that provide license consumption support, or create your own custom implementation.

Recommendations on storing JWTs

If the JWT has a short validity time, it’s sufficient to save it in the client application memory.

However, if the JWT has a longer validity time and needs to be valid also after restarting the client application, we recommend that you save it in the registry or on disk. If possible, use a safe location where any application-specific data is stored.