Moped Documentation
  • Welcome 👋
  • User Guides
    • Getting started
    • Map a project
  • Product Management
    • User communication
    • User management
    • User analytics
    • Local testing
    • Release process
    • Patch release process
    • MUI X Pro License
    • Integrations
      • Dataset documentation
      • ArcGIS Online
      • eCapris
      • Power BI
    • Features
  • Dev Guides
    • DB Docs & Data dictionary
    • Database backup policy
    • Moped Read Replica
    • How-to's
      • How do I start the Hasura cluster locally?
      • How do I launch the Hasura Console?
      • How do I get a JWT token?
      • How to ping the GraphQL API
      • How to ping the REST API
      • How do I connect a database with Postgres GUIs?
      • How do I connect to the RDS instance?
      • How to load production data into a local instance
      • How do I update seed data?
    • Hasura
      • Hasura Roles
      • Hasura Migrations
        • Getting Started
        • Installing the Hasura CLI
        • Configuration Files
        • Hasura Migration Principles
        • The Migration file format
        • Development
        • Hasura Seed Data
        • Running the Hasura Cluster Locally (video)
        • Create a migration: Exercise 1 (video)
        • Create a migration: Exercise 2 (video)
        • Latest hasura-cluster features
    • User Management
    • Authentication
      • Authentication Architecture
      • DynamoDB & Cognito
      • Secrets Manager & Cognito
      • Hasura & Cognito
      • React & Cognito
      • Flask API & Cognito
      • Single Sign-On with CTM
    • Code organization
    • API
      • Configuration Files
      • Testing
      • User Management API
    • Maps and geospatial data
      • Access tokens and API keys
      • Map libraries
      • Map data
      • Map styles
      • Map layers and basemaps
      • React patterns
      • V1 Archive
        • Map libraries
        • Map data
        • Map custom hooks
        • Map styles
        • Map layers and basemaps
    • UI access control
    • Design system
      • Branding
      • Component styles
      • Text content
    • Activity Log
      • Architecture
      • GitHub Actions and Deployment of Updates
      • Hasura Event Logs and Truncate Cron Job
      • Authentication
  • See also
  • Get Moped support, report a bug, or request an enhancement
  • Data & Technology Services
  • Github repository
Powered by GitBook
On this page
  • Javascript Web Tokens (JWTs)
  • Not all Tokens are Created Equal
  • Where can I find it?

Was this helpful?

  1. Dev Guides
  2. How-to's

How do I get a JWT token?

PreviousHow do I launch the Hasura Console?NextHow to ping the GraphQL API

Last updated 4 years ago

Was this helpful?

Javascript Web Tokens (JWTs)

A token is basically a passport, it has information about the user, like the name, email, certificate origin (AWS, Google, etc), it has an expiration date, etc. This "passport" in the form of a long encoded token is the way we communicate with Hasura and the AWS API Gateway.

Hasura needs the token to know the roles of the user, and makes sure this token is valid by checking with AWS directly. The case is the same with AWS API Gateway, but the only difference is that we make the validation ourselves in the API.

To pass this token, we use the standard HTTP header Authorization , much like this:

Authorization: Bearer <TOKEN STRING HERE>

Tokens are currently programed to expire after one hour of use.

Not all Tokens are Created Equal

There are two types of tokens, AWS Cognito tokens and Single Sign-On. With these two types of tokens, there are two different environments: 1) Local/staging and 2) Production.

The main difference between the cognito token and the Single Sign-On is in the contents of the token, the SSO token is longer and has more information about Active Directory.

1) Local/Staging. The tokens for local/staging only work for local or staging use. This is true for the local/staging hasura, or local/staging API (flask app).

2) Production. The tokens for production, only work for the production hasura instance or the API.

Where can I find it?

  1. Log in to Moped (if you need access to local/staging) launch the local instance or log in to the staging moped instance.

  2. Once logged in, in Chrome find the developer console:

The token looks like this:

eyJraWQiOiJqVXltd2JzdFJFa1MwK2lEcjJoelk2amRHZFV5blA5TDFLeFVwa0Z4UXpBPSIsImFsZyI6IlJTMjU2In0.eyJhdF9oYXNoIjoiTlJpQnp1dDJ5SmFyN29KcFQxT20yQSIsInN1YiI6ImNlYjg1YTk5LTE3N2UtNDFjZS05MjVlLTZhZGIxM2E2M2Q5MCIsImNvZ25pdG86Z3JvdXBzIjpbInVzLWVhc3QtMV9VMmR6a3hmVHZfQXp1cmVBRCJdLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsImh0dHBzOlwvXC9oYXN1cmEuaW9cL2p3dFwvY2xhaW1zIjoie1wieC1oYXN1cmEtdXNlci1pZFwiOiBcIjY0NmQxYjFmLTViMjctNDdjYi1hNGM5LTU4MzgwNjExMjQ1ZVwiLCBcIngtaGFzdXJhLWRlZmF1bHQtcm9sZVwiOiBcIm1vcGVkLXZpZXdlclwiLCBcIngtaGFzdXJhLWFsbG93ZWQtcm9sZXNcIjogW1wibW9wZWQtYWRtaW5cIl19IiwiaXNzIjoiaHR0cHM6XC9cL2NvZ25pdG8taWRwLnVzLWVhc3QtMS5hbWF6b25hd3MuY29tXC91cy1lYXN0LTFfVTJkemt4ZlR2IiwiY29nbml0bzp1c2VybmFtZSI6ImF6dXJlYWRfc2VyZ2lvLmdhcmNpYUBhdXN0aW50ZXhhcy5nb3YiLCJub25jZSI6InM4UzhFZnFwRkpvUk1ralZLa3NfR2E2QzE3RWFYMXlhTWFLWHU5MXJ5eU1nV013RzJEZW9BSEc0bklPcTVWUWtXZXVjX29nblBiYW9OUkRFc21ZM0tBbnlJLU9ya05qbG43cTdhUU9FTWRKbkpPRUxkZF9VTEIxd0hFSlNZTWwxS1FCdTRKWEc2bkN3VWlZVFdOQmhLV1FzTTNHQWJtb3ZKMXlmekQ3UGdRWSIsImF1ZCI6IjN1OW45MzczZTM3djYwM3RicDI1Z3M1ZmRjIiwiaWRlbnRpdGllcyI6W3sidXNlcklkIjoiU2VyZ2lvLkdhcmNpYUBhdXN0aW50ZXhhcy5nb3YiLCJwcm92aWRlck5hbWUiOiJBenVyZUFEIiwicHJvdmlkZXJUeXBlIjoiU0FNTCIsImlzc3VlciI6Imh0dHBzOlwvXC9zdHMud2luZG93cy5uZXRcLzVjNWUxOWY2LWE2YWItNGI0NS1iMWQwLWJlNDYwOGE5YTY3ZlwvIiwicHJpbWFyeSI6InRydWUiLCJkYXRlQ3JlYXRlZCI6IjE2MDUwMzI5MTI2NTAifV0sInRva2VuX3VzZSI6ImlkIiwiYXV0aF90aW1lIjoxNjA3NTU0Nzg5LCJleHAiOjE2MDc1NTgzODksImlhdCI6MTYwNzU1NDc4OSwiZW1haWwiOiJTZXJnaW8uR2FyY2lhQGF1c3RpbnRleGFzLmdvdiJ9.j2WDK1wrFzZAdKjyOsyQxCcG43gw8D1DCy5p07h4Ay1dlgHhgNU0ERWY49UfNjk_ZCg59lafuJZ0pdu53XBkAFrb_y7ufn_-HAKCq5DsuVyPTExVQeo6sSEDrCuwZsjQfzp6OPOVG3MfQHN_K-Z7V__OWxf4o0GulMwy7mCB7luz9ySmOWlosXNsIUWZ1FlqymC9zA0meTObdrVAWqYJpfnozeu3ufc3_8Yli1Bks-c0Ggn_ZvL1wfMxCjyBvzMCnpBLd62NcOJogGBOX0rT57k9xJM9UIzV7gn3g8xV7P_Csx3WovsVgcH13YWYRoxq6K7NowY6bGjztgsSjF639Q

The decoded token looks like this, from this example, you can see this is a Single Sign-On token, given the extra identity details related to Microsoft AzureAD:

{
  "at_hash": "NRiBzut2yJar7oJpT1Om2A",
  "sub": "ceb85a99-177e-41ce-925e-6adb13a63d90",
  "cognito:groups": [
    "us-east-1_U2dzkxfTv_AzureAD"
  ],
  "email_verified": false,
  "https://hasura.io/jwt/claims": "{\"x-hasura-user-id\": \"646d1b1f-5b27-47cb-a4c9-58380611245e\", \"x-hasura-default-role\": \"moped-viewer\", \"x-hasura-allowed-roles\": [\"moped-admin\"]}",
  "iss": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_U2dzkxfTv",
  "cognito:username": "azuread_sergio.garcia@austintexas.gov",
  "nonce": "s8S8EfqpFJoRMkjVKks_Ga6C17EaX1yaMaKXu91ryyMgWMwG2DeoAHG4nIOq5VQkWeuc_ognPbaoNRDEsmY3KAnyI-OrkNjln7q7aQOEMdJnJOELdd_ULB1wHEJSYMl1KQBu4JXG6nCwUiYTWNBhKWQsM3GAbmovJ1yfzD7PgQY",
  "aud": "3u9n9373e37v603tbp25gs5fdc",
  "identities": [
    {
      "userId": "Sergio.Garcia@austintexas.gov",
      "providerName": "AzureAD",
      "providerType": "SAML",
      "issuer": "https://sts.windows.net/5c5e19f6-a6ab-4b45-b1d0-be4608a9a67f/",
      "primary": "true",
      "dateCreated": "1605032912650"
    }
  ],
  "token_use": "id",
  "auth_time": 1607554789,
  "exp": 1607558389,
  "iat": 1607554789,
  "email": "Sergio.Garcia@austintexas.gov"
}