Support Blog Demo

Other

How to use Passage without a backend SDK

While SDKs certainly make things a bit easier, you can still use Passage if your language of choice does not have a provided SDK. This guide is designed to help you through that setup.

First, it is important to know that you can still use the Passage Element in your frontend that same way you always do. The purpose of the backend SDK is to:

  1. Provide helpers to validate JWTs from Passage and enforce authorization

  2. Provide easy access to user functionality like getting and editing user details.

Validation Passage JWTs

To learn more about JWTs and how they work, check out our security documentation.

Almost every language has a library for validating JWTs. Here are a few we recommend:

Language/Framework

Library

Java

https://github.com/jwtk/jjwt

Python (Django or Flask)

https://github.com/jpadilla/pyjwt

NodeJS

https://github.com/panva/jose

PHP

https://github.com/lcobucci/jwt

Ruby

https://github.com/jwt/ruby-jwt

Rust

https://github.com/Keats/jsonwebtoken

Scala

https://github.com/jwt-scala/jwt-scala

To use a library like this, you will first need to get your Passage public key from the console. It can be found under Settings --> General. Copy that public key and save it in an environment variable in your app.

If you are using an Element, the Passage JWT will be sent to your application via a cookie with the key psg_auth_token. We recommend writing a middleware that executes before every authenticated request and does the following:

  • Get the Passage auth token from the request

  • Validate using the public key and a JWT library

  • Get the Passage User ID from the "sub" claim of the JWT

The Passage User ID should be passed to your handlers to identify the current user. For example, in Node you can add this value to your request context like we do in our example app.

When validating a JWT, there a few things you need to make sure you check. Most libraries should help with these.

  • The signature is valid.

  • The expiration time ("exp" claim) is after the current time.

  • The issuer of the token ("iss" claim) is https://auth.passage.id/v1/apps/<YOUR APP ID>.

Access to User Functionality

The Passage User ID can then be used to get information about the user as needed (e.g. their email) either from your DB if you choose to store it there, or from the management API. To make requests to the management API you need to create an API key in the console under Settings --> API Keys.

Generally speaking you will use the API to get and edit information about users, but the full set of endpoints are available here.

PreviousGoNextCustom Registration Data

Last updated

Change request #337: react native