JWT Auth
Require public widget and API traffic to carry the same signed tokens your app already trusts.
- Last reviewed
JWT Auth
If your product already issues JWTs, the goal is simple: make public feedback traffic honor the same trust boundary.
How it works
Configure App Security with your issuer and JWKS. Once enabled, public survey requests must carry a valid bearer token.
- Tokens are verified per app.
- The expected audience is fixed to
https://api.getuserfeedback.com. - Missing or invalid tokens fail with explicit error codes.
When security is disabled, requests still work without a token. If you do send one, it is still validated and failures are logged for debugging.
What the client needs to send
Send:
Authorization: Bearer <token>
The browser surfaces support runtime auth configuration:
await client.configure({ auth: { jwt: { token } } });
await client.reset(); // on logout
Failure behavior
When security is enabled, the important failure modes are explicit:
missing_tokenconfig_missingconfig_invalidinvalid_token
These are useful because they tell you whether the problem is with the request, the app configuration, or the token itself.
A token problem is usually one of three things: wrong issuer, wrong JWKS, or a token minted for the wrong audience.
Practical rollout checklist
Before you enable security broadly:
- confirm the app is pointing at the correct issuer and JWKS
- verify the client actually sends the token on survey requests
- verify the token audience matches
https://api.getuserfeedback.com - test one happy path and one failure path on purpose