Skip to main content

What value to check for in Seamless Authentication?

  • April 8, 2022
  • 2 replies
  • 2174 views
H

Seamless Authentication seems to be handled automatically with the SDK, but the SDK is for JS only. If I was developing an app in some other language that doesn’t have the SDK, can I still make use of seamless integration? Do I just have to check the value of the “short-lived API key”? How would I know what value it’s supposed to have?

EDIT: A possible answer to my question just occurred to me, but I want to ask if this is correct:
Typically, to allow our app to make GraphQL API calls to Monday, we go to Settings>App and then copy the account API key and then present that key when we make an API call. With seamless authentication, do we present the “short-lived token” instead of the API key when making a GraphQL API call to Monday? This token acts as a replacement to the API key that we would copy from the Settings?

2 replies

Matias.Monday
Forum|alt.badge.img
  • Matias.Monday
  • monday.com Team Member
  • April 11, 2022

Hello @Human42!

I understand that you are talking about an app with an integration feature. Correct?

Every request from the Monday server to your app will be accompanied with a JWT token in the Authorization header. The token will be signed by your app’s Signing Secret . The JWT token can be decoded to get additional metadata about the request.

The JWT token will contain a short-lived API key that that can be used to authenticate against the monday API. The token will be valid for 1 minute and have the same permission scopes as your app.

Is this the information you were looking for?

Cheers,
Matias

H
  • Human42
  • Author
  • New Participant
  • April 11, 2022

Is this the information you were looking for?

Not exactly. What you’re saying here is the same as what I have already read in the documentation.

The statement that I want more information about is this:

The JWT token will contain a short-lived API key that that can be used to authenticate against the monday API

I don’t understand how to use the API key to authenticate against the Monday API.

I understand how I can authenticate that the request comes from my app in Monday.com by using the Signing Secret to verify that the JWT token is genuine and untampered, but I do not know what the use-case is of the short-lived API key.

I suspect the short-lived key takes the place of the Personal API token that we would otherwise have to copy from Settings>Admin>API, but I would like to hear confirmation from Monday:

image

Terms & ConditionsCookie settingsAccessibility statement