Authenticating users with JWT tokens

User JWT tokens

Using JWT tokens provides the greater flexibility than "Sign in with Google" and other third party providers, but also requires some development work on the part of the event host. With tokens, the event host can support seamless authentication integration with their own platform where attendees are already logged in.

Public and private keys

In order to generate tokens, you will first need to generate a public/private RSA key pair. For example, if you are on Linux or Mac:

ssh-keygen -b 2048 -m PEM -t rsa -f socialhour.key -q -N ""
openssl rsa -in socialhour.key -pubout -outform PEM -out socialhour.key.pub

In the Settings section of your Social hour event, paste your public key from socialhour.key.pub. When you open the resulting file, it should look something like this:

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAreHYPYvIDfoisOxcelL6
DBVnQOJjlMThKtq/Hmfo3kHXV2WY8RQ8AZ/7GiIN4Z4HnaPb3IdKOFoSpdun2pho
sPyFJMZNM37o3jPd5M9kiEADTiuIk35fk9dgQ+j2aBVp4cJSm8IJ4QxQ78vzM+h1
O0N3YzXY5GJLcH6JKl8+aveKCqn6rRHvZKMCXP+OFrQ3BLp06RFCREHdRH9H/n0r
jLGmos/YBgdnzzAD0u1lNWR1IPF1lxs/fzUvHOmN+BuDYPttloIIZ65nPMklG5w/
QxdupHKb6JVMQo6Jd2iqE+4lPhZZz+sIcScvgFhubqX0bqkHHQVxe6+9XApuPtD3
TQIDAQAB
-----END PUBLIC KEY-----

Generating the token

With keys generated, you can now create and sign user tokens. For example, with Node.js:

const jwt = require('jsonwebtoken');
const fs = require('fs');
 
const privateKey = fs.readFileSync('./socialhour.key');
 
const token = jwt.sign({
  displayName: 'Larry David',
  email: 'larry@seinfeld.com',
  userProfile: [
    ['organization', 'Seinfield'],
    ['title', 'Producer'],
    ['interests', 'comedy']
  ]
});

The displayName field is required; other fields are optional. The avatarUrl field should refer to a publicly accessible avatar image. If none is provided, a default image will be generated using the initials from the given displayName.

Now, add this token in the event url:

https://[YourOrg].socialhour.com/my-event?token=eyJhbGciOiJS...

Best practices

It is most likely in your interest to generate tokens with a near-term (~300 seconds) expiration time. Ideally, when a user clicks a link on your platform intending to visit Social hour, it is at that point when you should dynamically generate the token, and send the user along to Social hour (e.g., via 302 redirect).

It is also possible to generate long-lived tokens, but remember that anyone who follows that link will be logged in as that user on socialhour.com. So it is best to avoid directly including token links in formats like emails or chat channels; better to generate on the fly as needed.