JWT based authentication

Space Cloud supports JWT based authentication.

How does authentication work?

As you can see, authentication is handled outside of Space Cloud.

However, Space Cloud is responsible for validating whether a user is authenticated or not. It also helps you enforce your access control logic along with any data masking steps if needed. Check out the security rules to learn more about the possibilities of access control.

Space Cloud considers a request to be authenticated, only if it contains a valid JWT token. Check out the project if you are new to JWTs.

Space Cloud will consider a token to be valid based on the following criteria:

  • The token should get verified by anyone of the secrets provided to Space Cloud. Checking out the docs for adding-jwt-secrets to learn more about providing secrets to Space Cloud.
  • If the token contains an expiry (seconds since epoch in the exp claim), then its value should be greater than the current time (in seconds since epoch).

Once a token is considered valid, its claims are parsed and made available in the args.auth variable to be used by security rules.

If a user tries to change any of the token claims or tries to create his/her false token, it would fail at the verification stage because of the nature of JWTs. You can check out the official website of the JWT project to learn more about it.

Providing JWT tokens in a request

For HTTP requests, the token should be present inside Authorization header as Bearer <token>, whereas for websocket requests, the token should be present in the data.token key of the message body.

Here’s how a sample token looks like:


Usually, these tokens should be provided by your authentication service on a successful signin/signup. Space Cloud can verify these tokens as long as it is configured with the secret used by your authentication service for signing these tokens.

Check out the docs for configuring JWT secrets to learn more about the different types of secrets supported and the additional security checks.

Space Cloud integrates out of the box with most popular third-party auth services like Firebase Auth, Auth0, etc. Check out the docs for integrating third-party auth services to learn more about it.

Enforcing authentication

Authentication is enforced by all security rules except allow rule. However, if you want to only enforce authentication for a particular resource, you should use the authenticated rule like this:

  "rule": "authenticated"

Check out the docs for security rules to learn more about the different types of security rules that you can use to enforce your access control logic.

Have a technical question?

Improve the docs!