Need help?

Validate signed data (JSON Web Tokens)

To guarantee that data has not been manipulated in the front end, all third party transactions within the Checkin.com framework comes with signed JWT tokens.

For additional security, these tokens can be decoded and verified using the Checkin.com public key. The keys used to sign the tokens are rotated and can be replaced at any given time, so the public keys needs to be downloaded and cached automatically.

Each token contains an identifier of which key that was used for signing. All public keys are available as a JSON Web Key Set (JWKS) at https://checkin.com/certs or https://develop.checkin.com/certs (Test key)

Verifying the token

The validation needs to be done in the back-end in order for the token to be validated correctly. 

const jwksClient = require('jwks-rsa')
const jwt = require('jsonwebtoken')

const client = jwksClient({
  cache: true,
  cacheMaxEntries: 5,
  cacheMaxAge: 600000,
  jwksUri: 'https://checkin.com/certs',
})

function getPublicKey(header, callback) {
  client.getSigningKey(header.kid, function (err, key) {
    callback(err, key.getPublicKey())
  })
}

// The JWT data is often taken from TransactionInfo or the Auth object
const jwtToken = callbackData.user.auth.signedData // Example only

jwt.verify(jwtToken, getPublicKey, { /* options */ }, function (
  err,
  verifiedData,
) {
  if (err) {
    // Validation of the signed token failed. Errors can be:
    // TokenExpiredError, JsonWebTokenError, NotBeforeError, TypeError
    console.log(`${err.name}: ${err.message}`)
  } else {
    // Get attributes/parameters here
  }
})

This example is for JavaScript (node). For examples in other languages, see jwt.io.

Manual download of the Public Key

🚧

Deprecation warning

These keys will be deprecated by 2022-12-31. It is strongly recommended to use the JWKS endpoint at https://checkin.com/certs to dynamically download the public keys.

During the deprecation period, it is still possible to download the public key. This example is for JavaScript (node) and assumes the public key is saved as checkincom-public-key.pem.

//The Checkin.com public key
const publicKey = fs.readFileSync(path.resolve('checkincom-public-key.pem'));
const jsonwebtoken = require('jsonwebtoken');

//The JWT data is often taken from TransactionInfo or the Auth object
const jwtToken = callbackData.user.auth.signedData // Example only

//Make sure the token is valid
try {
  const verifiedData = jsonwebtoken.verify(jwtToken, publicKey);
  //Get attributes/parameters here
} catch (err) {    
	//Validation of signing did not work out
}

-----BEGIN PUBLIC KEY-----
MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAuW/5KXaMXkAGYeskgZjoGgU9kvOP
9vf4s58h3hH+zMfvyqZN9OQEpyg8eu5L1LmQWPiiaHxVusvII614AcI0gbkAMrz/
3O/ropmA6bHwHyRUX47RSAMDXwjMkte7XOz85pr6v/KOUrZymImvG2Dedbd2gHJd
CRchD+CQGPcgoQw4P5E=
-----END PUBLIC KEY-----

-----BEGIN PUBLIC KEY-----
MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBSjGDbVxOUXdG3Ggo2clodn+PcBHZ
3ErtLlSStbVFWhkBfTewmJXp4Pq3iNTp8YqyQt/vr5Y03a93U3jMhX5wBKsBY2LM
MILiwZJbariD8Ro4bBCNP7LYk9yRWZtmAQwaQuW6PDRCOY7wj/u+jy1fS1aOF4if
67vUQgAs4bhx6V8eWZU=
-----END PUBLIC KEY-----

Updated almost 2 years ago