Skip to main content

Secure your Backend

In your backend application, you'll receive the user JWT, but you still need to ensure that the requests are actually coming from the Qloud proxies. That's what the Application Secret is for. In our example, the secret is S2XHHOEpDUTOUW3kPPPV6NjT6zJ4RioN.

All tokens will be signed, using the HS256 algorithm, and this secret. Have a look at the Architecture for more information on the way we work with the JSON Web Token (JWT).

The JWT will be sent as cookie __q_token__ to your backend, and is valid for a few seconds (see JWT expiration).

Optional Authentication

If you use the "Optional Authentication" mode, you'll also receive requests without a token.

We provide several libraries to check the token: Qloud Integration Libraries, but of course you can check the token yourself too.