How to use Passage without a backend SDK
While SDKs certainly make things a bit easier, you can still use Passage if your language of choice does not have a provided SDK. This guide is designed to help you through that setup.
First, it is important to know that you can still use the Passage Element in your frontend that same way you always do. The purpose of the backend SDK is to:
- 1.Provide helpers to validate JWTs from Passage and enforce authorization
- 2.Provide easy access to user functionality like getting and editing user details.
Almost every language has a library for validating JWTs. Here are a few we recommend:
Python (Django or Flask)
To use a library like this, you will first need to get your Passage public key from the console. It can be found under Settings --> General. Copy that public key and save it in an environment variable in your app.
Copy public key from the Console.
If you are using an Element, the Passage JWT will be sent to your application via a cookie with the key
psg_auth_token. We recommend writing a middleware that executes before every authenticated request and does the following:
- Get the Passage auth token from the request
- Validate using the public key and a JWT library
- Get the Passage User ID from the "sub" claim of the JWT
The Passage User ID should be passed to your handlers to identify the current user. For example, in Node you can add this value to your request context like we do in our example app.
When validating a JWT, there a few things you need to make sure you check. Most libraries should help with these.
- The signature is valid.
- The expiration time ("exp" claim) is after the current time.
- The issuer of the token ("iss" claim) is
https://auth.passage.id/v1/apps/<YOUR APP ID>.
The Passage User ID can then be used to get information about the user as needed (e.g. their email) either from your DB if you choose to store it there, or from the management API. To make requests to the management API you need to create an API key in the console under Settings --> API Keys.
Create an API Key.
Generally speaking you will use the API to get and edit information about users, but the full set of endpoints are available here.