Skip to main content

Authorization

Privy issues each user an auth token when they login to your app. When making requests from your frontend to your backend, we recommend that you authorize your requests with this token. More concretely, you should:

  1. include the user's auth token when your frontend sends a request to your backend
  2. verify the user's auth token when your backend receives a request from your frontend

Privy's token format

Privy auth tokens are JSON Web Tokens (JWT), signed with the ES256 algorithm. These JWTs include certain information about the user in its claims, namely:

  • sid is the user’s current session ID
  • sub is the user’s Privy DID
  • iss is the token issuer, which should always be privy.io
  • aud is your Privy app ID
  • iat is the timestamp of when the JWT was issued
  • exp is the timestamp of when the JWT will expire and is no longer valid. This is generally 1 hour after the JWT was issued.