Authorisation

🚧

Important

MediaStore APIs are executed on behalf of the customer (who is authenticated via JWT), therefore they have only a limited set of features compared to Core Platform APIs. As a benefit, they can be used for building frontend-only integrations without dedicated middleware.

MediaStore SDK uses JWT for authorisation. JWT payload contains:

• customerId,
• publisherId,
• expiration date.

You can decode JWT using:

• packages like jwt-decode, or
• an online decoder like jwt.io

Good to Know

JWT is valid for 15 minutes - the customer should be logged out after 15 minutes.
JWT is required for all methods in the Checkout part (exception: fetch offer details) and for all methods in My Account part. It is returned after successful login and registration.

Refresh Token

The aim of a refresh token is to avoid users' re-login.

A refresh token is issued as part of the authentication process along with the access JWT. The auth server saves this refresh token and associates it to a particular user in the database, so that it can handle the renewing JWT logic.

The renewing JWT logic uses a refresh token to generate a new access JWT in the background (a user is not aware of it) and thus avoids users’ re-login.

Check JWT validity and if it turns out that JWT has expired, call the /auths/refresh_token endpoint.

A refresh token's features:

• Expiration time - 100 days
• It can be used only once and expires after that (i.e. if a refresh token has been used to create a new JWT, it should be deleted)
• A customer can have multiple refresh tokens (for example when he or she accesses an application from multiple devices).

A refresh token is generated in the following endpoints:

• Registration /customers
• Login /auths
• Refresh token /auths/refresh_token.