Skip to main content

I’m trying to do some basic JWT validation on board views/item views etc.


I have a board view at say:


https://xxxx.example.app/my-board-view

When the board view is displayed, it has a sessionToken request parameter (actually a JWT token) passed through to it from monday:


https://xxxx.example.app/my-board-view?sessionToken={sessionToken}

…which I should be able to validate against the “Signing secret” from “Basic information” here (for my app):


https://myinstance.monday.com/apps/manage/:app_id/app_versions/:app_version/sections/appDetails

I have this as MONDAY_SIGNING_SECRET in my javascript server side code.


So basic validation should look something like this:


import jwt from 'jsonwebtoken';



...



const sessionToken = new URLSearchParams(location.search).get('sessionToken') || null;



if (!sessionToken) {

	// throw error(401, 'No token found.');

}



try {



	const payload = await jwt.verify(sessionToken, MONDAY_SIGNING_SECRET);

	

	// all good, continue 

	// now add all the logic here...

	

} catch (err: any) {

	// throw error(401, 'Token is invalid.');

}

I’m finding that if I use this code with the signing secret, it always fails.


I get this error:


error JsonWebTokenError: invalid signature

    at /path/to/node_modules/jsonwebtoken/verify.js:171:19

    at getSecret (/path/to/node_modules/jsonwebtoken/verify.js:97:14)

    at module.exports oas verify] (/path/to/node_modules/jsonwebtoken/verify.js:101:10)

    ...


  • Does the signing secret work with board views etc?

  • Or am I doing something fundamentally wrong?

Oh, here’s the answer, use the OAuth secret instead



To be Specific here please use


Client Secret to verify your session token

image

Reply


Terms & ConditionsCookie settings