API v3 AuthorizationΒΆ

The third generation LaunchKey endpoints use a JSON Web Token found as a segment in the Authorization header. The Authorization header is broken into three segments separated by a colon (:). The segments are:

  • Category: organization or service
  • Key: Key for the entity
  • Token: JSON Web Token (JWT)

Here is an example request with an Authorization header for an organization using an abbreviated JWT:

POST /whitelabel/v3/devices HTTP/1.1 Content-Type: application/jwe Content-Length: 112 Authorization: Bearer eyJhbGciOiJSU0EtT0FFUCIsIm.VuYyI6IkEyNTZHQ00ifQ.OKOawDo13gRp2ojaHV7LF


The JSON Web Token itself is broken into three pieces per the term:JWT specification:

  • Header: Information regarding the cryptography used for the signature:

    • alg - algorithm: Valid JSON Web Algorithm. RS256, RS384, and RS512 are the supported algorithms.
  • Body: Data regarding the request that is signed. This includes the following information identifying the request:

    • iss - issuer: Identifier for the issuing service (organization or service) consisting of the Category

      and Key separated by a colon(:): IE: organization:12345674890

    • iat - issued at: Timestamp at which the token was issued. Must not be before the current timestamp.

    • nbf - not before: Timestamp at which the token will will be valid. Must not be before the current timestamp.

    • exp - expires: Timestamp at which the token will expire. Must be after the current timestamp.

    • aud - audience: The intended audience for the package. All API calls should use application:1000000000

    • jti - jwt id: Unique identifier for your request. This value will be returned in the api response and it

      should be verified against on receiving the response.

    • Content-Hash - (Optional) Hash of the request body. This is used to ensure the integrity of the

      request body. It is not required when there is no body.

    • Content-Hash-Alg - (Optional) Hashing algorithm being used and expected back in regards to the Content-Hash

      value. It is not required when there is no body.

    • Method - HTTP method of the request containing the JWT. In the example above, the

      value would be POST.

    • Path - Path of the request containing the JWT. In the example above, the value would be


  • Signature: Electronic signature of the encoded header and body segments separated by a period (.) with an

    acceptable algorithm. With the example above, the data to be signed would be:


User Contributed

LaunchKey links to user contributed code as a resource to its community. LaunchKey does not in any way guarantee or warrant the quality and security of these code bases. User contributed code is supported by the creators. If you do find a link from the site to user contributed code that is malicious or inappropriate in any way, please report that link to LaunchKey immediately and we will investigate the claim. Submit any issue to LaunchKey support at https://launchkey.com./support. ×