Authorisation
Important
MediaStore APIs are executed on behalf of the customer (who is authenticated via JWT), therefore they have only a limited set of features compared to Core Platform APIs. As a benefit, they can be used for building frontend-only integrations without dedicated middleware.
MediaStore SDK uses JWT for authorisation. JWT payload contains:
- customerId,
- publisherId,
- expiration date.
You can decode JWT using:
- packages like jwt-decode, or
- an online decoder like jwt.io
Good to Know
JWT is valid for 15 minutes - the customer should be logged out after 15 minutes.
JWT is required for all methods in the Checkout part (exception: fetch offer details) and for all methods in My Account part. It is returned after successful login and registration.
Refresh Token
The aim of a refresh token is to avoid users' re-login.
A refresh token is issued as part of the authentication process along with the access JWT. The auth server saves this refresh token and associates it to a particular user in the database, so that it can handle the renewing JWT logic.
The renewing JWT logic uses a refresh token to generate a new access JWT in the background (a user is not aware of it) and thus avoids users’ re-login.
Check JWT validity and if it turns out that JWT has expired, call the /auths/refresh_token
endpoint.
A refresh token's features:
- Expiration time - 100 days
- It can be used only once and expires after that (i.e. if a refresh token has been used to create a new JWT, it should be deleted)
- A customer can have multiple refresh tokens (for example when he or she accesses an application from multiple devices).
A refresh token is generated in the following endpoints:
- Registration
/customers
- Login
/auths
- Refresh token
/auths/refresh_token
.
Updated about 3 years ago