English

简体中文

English

简体中文

Appearance

Session tokens

Session tokens serve as a secure mechanism for authenticating user sessions in embedded apps, ensuring secure communications between the client and the server backend. Upon successful authentication on the platform, a temporary and unique session token is issued, stored in the browser's cookies, and sent with each request to verify user identity and maintain session integrity.

TIP

Due to potential cross-domain issues with browser cookies, all embedded apps are required to implement session token authentication. Non-compliance may pose security risks, prompting platform intervention for necessary adjustments.

Authentication process

The authentication process using session tokens on the Genstore platform includes the following key steps:

  • Request a session token
  • Use the session token

Request a session token

Apps initiate user sessions and request session tokens via the Genstore App Bridge during UI rendering. This process involves the following steps:

Use the session token

After receiving a session token, apps must verify its signature and validity period as follows:

Data structure

Session tokens are formatted as JSON Web Token(JWT) and consist of two parts: Header and Payload.

Header example

json
{
	"alg": "HS256",
	"typ": "JWT"
}

Parameters:

  • alg: The algorithm used to encode the JWT.
  • typ: Type of the session token.

Payload example

json
{
	"aud": "<client ID>",
	"sub": "<user ID>",
	"exp": "<time in seconds>",
	"iat": "<time in seconds>",
	"sid": "<session ID>"
	"sig": "<signature>"
}

Parameters:

  • aud: Client ID of the receiving app.
  • sub: User targeted by the session token.
  • exp: Expiration time of the token.
  • iat: Time the token was issued.
  • sid: Unique session ID for each user and app.
  • sig: Signature provided by Genstore.

Payload example

json
{
    "aud"=>"client-id-666",
    "sub"=>"22",
    "exp"=>1731394399,
    "nbf"=>1731394399,
    "iat"=>1731394399,
    "sid"=>"5b2b31c25aaea182f273c0fea3d25d3eb7fd3ad24c682d44349057021a448584",
    "sig"=>"61c70f4e7f2fb229e4c475bffc8cc1738f730270c17cf0b2f0f276b0f7621087",
}

Considerations

  • Session independence: Each user has a unique session token per app and store, ensuring individual security.
  • Token validity: Session tokens are valid for one minute and must be frequently renewed to maintain session activity.
  • Token retrieval: Apps must obtain a new session token via the App Bridge before each request to ensure its validity.
  • Session verification: Session tokens are validated against the user's login status to confirm that the token is being used by an authenticated user.