Skip to main content
When a user opens the webview (or hits any /me/* endpoint directly), they present a JWT signed by your app. We verify it using the public key you publish via jwksUrl or supply as a static jwtPublicKey.

Who provides what

The Voucher Platform verifies your JWTs — there is no verification endpoint for you to call. To make that possible, you (the partner) provide the verification inputs and we store them on your partner record:
You must supply jwtIssuer and one of (jwksUrl | jwtPublicKey) before your partner record can be created. So decide your issuer and stand up your JWKS endpoint first — the rest of onboarding follows. See Onboarding & credentials for the full list of who provides which value.

Required claims

Optional claims (JIT user creation)

If you skip the POST /integrations/users step entirely, we’ll create the user the first time a JWT for an unknown sub arrives (“just-in-time” provisioning). These optional claims populate the new row:
JIT works, but the recommended pattern is to upsert the user from your backend before opening the webview. That way you can correct stale data (e.g. user changed their email) and you don’t depend on JWT claims for PII integrity.

Algorithm

We require RS256 with a 2048+ bit key. We do not currently accept HS256, ES256, or unsigned tokens.

Example

Key rotation

If you set jwksUrl, we fetch the JWK set on each unique kid we haven’t seen, with internal caching. To rotate:
  1. Publish the new key alongside the old one at your JWKS URL.
  2. Start signing new JWTs with the new kid.
  3. Wait for any in-flight tokens signed with the old key to expire.
  4. Remove the old key from your JWKS.
We don’t pin keys, so no admin action is needed on our side. If you supply a static jwtPublicKey instead, rotation requires an admin update to your partner record. JWKS is preferred for production.