getuserfeedback.
Docs

User authentication

Make the widget honor your app's auth boundary using signed JWT tokens.

Last reviewed

User authentication

If your app already authenticates users, you can make the widget honor the same trust boundary. When enabled, the widget only works for users who have a valid signed token from your app.

How it works

  1. Enable App Security in your getuserfeedback.com settings.
  2. Configure your issuer and JWKS endpoint.
  3. Pass a valid JWT token to the widget from your app.

Once enabled, the widget requires a valid bearer token before it will load surveys. Tokens are verified per app, and the expected audience is https://api.getuserfeedback.com.

When security is disabled (the default), the widget works without a token. If you do send one, it's still validated and failures are logged for debugging — so you can test your setup before enforcing it.

Passing the token

Fetch a JWT from your auth provider and pass it to the widget. The token needs to be refreshed when your app session changes or your auth provider rotates it.

React SDK

TypeScriptget-user-feedback-auth.tsx
import { useEffect } from "react";import { useGetUserFeedback } from "@getuserfeedback/react";export function GetUserFeedbackAuth({ token }: { token: string | null }) {const client = useGetUserFeedback();useEffect(() => {if (!token) {void client.reset();return;}void client.configure({auth: { jwt: { token } },});}, [client, token]);return null;}

Mount this once inside <GetUserFeedbackProvider> and pass in the token from your auth layer.

JavaScript SDK

The same pattern works with any auth provider — fetch the token, pass it, and call it again when the session changes:

TypeScriptauth.ts
import { createClient } from "@getuserfeedback/sdk";const client = createClient({apiKey: "YOUR_API_KEY",});const token = await yourAuthProvider.getToken();await client.configure({auth: { jwt: { token } },});

On logout, call client.reset().

Token refresh

JWT tokens expire. When a token expires and the widget needs to make a request, the request will fail with invalid_token. To avoid this, call configure() again after session changes or whenever your auth provider refreshes the token. On logout, call client.reset() so auth and identity are cleared together.

Failure behavior

When security is enabled, failures are explicit:

  • missing_token — no token was sent
  • config_missing — App Security isn't configured yet
  • config_invalid — the issuer or JWKS configuration has a problem
  • invalid_token — the token didn't pass verification or has expired

A token problem is usually one of three things: wrong issuer, wrong JWKS endpoint, or a token minted for the wrong audience.

Rollout checklist

Before you enforce authentication broadly:

  1. Confirm the app is pointing at the correct issuer and JWKS endpoint.
  2. Verify the widget actually receives the token.
  3. Verify the token audience matches https://api.getuserfeedback.com.
  4. Test one success and one failure on purpose.