JSON Web Token (JWT) Authentication

Integrations to LeadDesk can use a JSON Web Token (JWT) to pass info about a logged-in user from LeadDesk to another system. This avoids forcing the user to login separately to that other system.

In addition, the target system must verify that

• the signature in the JWT is correct (see Signature below),
• the token has not expired, i.e. the expiry timestamp (exp) is not in the past, and

Signature

Identity JWTs are not encrypted, but they are signed using LeadDesk’s private keys. This means that, before accepting a JWT as valid, its signature (i.e. the third and final part) must be verified using the corresponding public key.

The header (first part) of the decoded JWT contains the key ID ( kid ) of the private key that the JWT was signed with. The public counterpart can be retrieved using our REST API.

Example command to retrieve all the currently active keys:
curl -s -X GET “https://restapi-nor.leaddesk.com/stable/public_keys/signature/pem”

Expiry time

By default, an the report JWT expires at the next midnight,  (unless generated within the hour before midnight, in which case it will expire at the midnight after that). However, other restriction apply depending on the use case. When used for a LeadApp page, for example, the token expires in five minutes.

Data structure