Privy issues each user an auth token when they login to your app. You can read more about this token here.
When making requests from your frontend to your backend, we recommend that you authorize your requests with this token.
You can think of this as a two step process:
- When your frontend sends a request to your backend, include the user's auth token. This allows your backend to identify and authorize the user that sent the request.
- When your backend receives a request, extract and verify the user's auth token. From this token, you can get the user's Privy DID from the
idfield to identify them, and you can verify the authenticity of the token with your Privy public key.
The Privy auth token
Privy auth tokens are JSON Web Tokens (JWT), signed with the ES256 algorithm. These JWTs include certain information about the user in its claims, namely:
sidis the user’s current session ID
subis the user’s Privy DID
issis the token issuer, which should always be privy.io
audis your Privy app ID
iatis the timestamp of when the JWT was issued
expis the timestamp of when the JWT will expire and is no longer valid. This is generally 1 hour after the JWT was issued.