Other

How to use Passage without a backend SDK

While SDKs certainly make things a bit easier, you can still use Passage if your language of choice does not have a provided SDK. This guide is designed to help you through that setup.

First, it is important to know that you can still use the Passkey Complete Element in your frontend that same way you always do. The purpose of the backend SDK is to:

  1. Provide helpers to validate JWTs from Passage and enforce authorization
  2. Provide easy access to user functionality like getting and editing user details.

Validation Passage JWTs

Almost every language has a library for validating JWTs. Here are a few we recommend:

Language/FrameworkLibrary
Javahttps://github.com/jwtk/jjwt
Python (Django or Flask)https://github.com/jpadilla/pyjwt
Node.jshttps://github.com/panva/jose
PHPhttps://github.com/firebase/php-jwt
Rubyhttps://github.com/jwt/ruby-jwt
Rusthttps://github.com/Keats/jsonwebtoken
Scalahttps://github.com/jwt-scala/jwt-scala

To use a library like this, you will first need to get your Passage public key from the console. It can be found under Settings —> General. Copy that public key and save it in an environment variable in your app.

Screen showing general settings page in console higlighting public keyCopy public key from the Console

If you are using an Element, the Passage JWT will be sent to your application via a cookie with the key psg_auth_token. We recommend writing a middleware that executes before every authenticated request and does the following:

  • Get the Passage auth token from the request
  • Validate using the public key and a JWT library
  • Get the Passage User ID from the “sub” claim of the JWT

When validating a JWT, there a few things you need to make sure you check. Most libraries should help with these.

  • The signature is valid.
  • The expiration time (“exp” claim) is after the current time.
  • The issuer of the token (“iss” claim) is https://auth.passage.id/v1/apps/<YOUR APP ID>.

Note: To learn more about JWTs and how they work, check out our security documentation.

Access to user functionality

The Passage User ID can then be used to get information about the user as needed (e.g. their email) either from your DB if you choose to store it there, or from the management API. To make requests to the management API you need to create an API key in the console under Settings —> API Keys.

Screen showing general settings page in console highlighting API keyCreate an API key in the Console

Generally speaking you will use the API to get and edit information about users, but the full set of endpoints are available here.