Secure your Backend
In your backend application, you'll receive the user JWT, but you still need to ensure that the requests are actually
coming from the Qloud proxies. That's what the Application Secret is for. In our example, the secret
is S2XHHOEpDUTOUW3kPPPV6NjT6zJ4RioN
.
All tokens will be signed, using the HS256 algorithm, and this secret. Have a look at the Architecture for more information on the way we work with the JSON Web Token (JWT).
The JWT will be sent as cookie __q_token__
to your backend, and is valid for a few seconds
(see JWT expiration).
If you use the "Optional Authentication" mode, you'll also receive requests without a token.
We provide several libraries to check the token: Qloud Integration Libraries, but of course you can check the token yourself too.