/me/* endpoint directly), they
present a JWT signed by your app. We verify it using the public key you
publish via jwksUrl or supply as a static jwtPublicKey.
Who provides what
The Voucher Platform verifies your JWTs — there is no verification endpoint for you to call. To make that possible, you (the partner) provide the verification inputs and we store them on your partner record:You must supply
jwtIssuer and one of (jwksUrl | jwtPublicKey)
before your partner record can be created. So decide your issuer and
stand up your JWKS endpoint first — the rest of onboarding follows. See
Onboarding & credentials for the full list of who
provides which value.Required claims
Optional claims (JIT user creation)
If you skip thePOST /integrations/users step entirely, we’ll create the
user the first time a JWT for an unknown sub arrives (“just-in-time”
provisioning). These optional claims populate the new row:
Algorithm
We require RS256 with a 2048+ bit key. We do not currently accept HS256, ES256, or unsigned tokens.Example
Key rotation
If you setjwksUrl, we fetch the JWK set on each unique kid we haven’t
seen, with internal caching. To rotate:
- Publish the new key alongside the old one at your JWKS URL.
- Start signing new JWTs with the new
kid. - Wait for any in-flight tokens signed with the old key to expire.
- Remove the old key from your JWKS.
jwtPublicKey instead, rotation requires an admin
update to your partner record. JWKS is preferred for production.