Skip to main content

Seamless Authentication seems to be handled automatically with the SDK, but the SDK is for JS only. If I was developing an app in some other language that doesn’t have the SDK, can I still make use of seamless integration? Do I just have to check the value of the “short-lived API key”? How would I know what value it’s supposed to have?


EDIT: A possible answer to my question just occurred to me, but I want to ask if this is correct:

Typically, to allow our app to make GraphQL API calls to Monday, we go to Settings>App and then copy the account API key and then present that key when we make an API call. With seamless authentication, do we present the “short-lived token” instead of the API key when making a GraphQL API call to Monday? This token acts as a replacement to the API key that we would copy from the Settings?

Hello @Human42!


I understand that you are talking about an app with an integration feature. Correct?


Every request from the Monday server to your app will be accompanied with a JWT token in the Authorization header. The token will be signed by your app’s Signing Secret . The JWT token can be decoded to get additional metadata about the request.


The JWT token will contain a short-lived API key that that can be used to authenticate against the monday API. The token will be valid for 1 minute and have the same permission scopes as your app.


Is this the information you were looking for?


Cheers,

Matias


Is this the information you were looking for?



Not exactly. What you’re saying here is the same as what I have already read in the documentation.


The statement that I want more information about is this:



The JWT token will contain a short-lived API key that that can be used to authenticate against the monday API



I don’t understand how to use the API key to authenticate against the Monday API.


I understand how I can authenticate that the request comes from my app in Monday.com by using the Signing Secret to verify that the JWT token is genuine and untampered, but I do not know what the use-case is of the short-lived API key.


I suspect the short-lived key takes the place of the Personal API token that we would otherwise have to copy from Settings>Admin>API, but I would like to hear confirmation from Monday:

image

Reply


Terms & ConditionsCookie settings