This document covers the process of generating a JWT token for NopStation’s Mobile app and explains how these concepts relate to the configuration fields in your store's administration panel.
Admin Panel Configuration
This section explains how to configure the Token Key and Secret in your store’s admin panel.
· Go to https://[YOUR_DOMAIN]/Admin/WebApi/Configure
· Scroll down to the Security section
· Token key could be any string. Keep it a secret.
· Token secret could be any string that is at least 32 characters long. Keep it a secret.
· Check IAT will invalidate the JWT token after every X second. It adds an additional layer of security.
· Important points to consider:
o Do not enable IAT if you want to test the APIs manually from Postman or Swagger.
o The Token Key and Token Secret need to be the same on both the admin panel and in the mobile app’s source code. Otherwise, the app will not connect to the server.
o If your app is already in the Play Store or App Store and you change the Key or Secret, all apps will lose access to the server.
JWT Generation Guideline from jwt.io
You’ll need to generate the JWT manually only if you are testing the APIs from Postman or Swagger. If you are not a developer, then it’s not needed.
Step-by-Step Instructions:
1. Navigate to jwt.io: Open your web browser and go to the official tool: https://www.jwt.io/. Select the JWT Encoder tab. It’s not selected by default.
2. Configure the Header: In the Decoded Header section (top left), ensure the algorithm is set to HS256.
JSON
{
"alg": "HS256",
"typ": "JWT"
}
3. Input the Payload: In the Payload section, replace the content with the required claims.
NST_KEY can be any value.
JSON
{
"NST_KEY": "your_token",
"iat": 1516239022
}
4. Configure the Signature (Secret): Scroll down to the Sign JWT section. Enter a Secret key (e.g., "a-string-secret-at-least-32-characters_long"). This secret is used to cryptographically sign the token.
5. Retrieve the Token: The complete Encoded JWT token will be automatically generated and displayed in the JSON Web Token section on the right.
Copy and save the token to use it from Postman or similar tools.
6. In Postman use the generated JWT token in the request header for the key ”NST”.
Explanation of IAT
IAT stands for "Issued At". It specifies the time at which the JWT was created by the client (mobile app). The value is a number, which is a Unix timestamp (the number of seconds elapsed since January 1, 1970 UTC). When a server validates the token, IAT helps to determine how long the token has been active. It also ensures the token wasn't issued too far in the past, often used in conjunction with token expiration for managing lifetime and security policies.
Configure the Token Key and Secret on the Mobile App’s Code
The app will generate the JWT token dynamically from the Token Key and Token Secret. Because of that you must have to use the same value in the App’s code and in the admin panel.
· Open lib/utils/AppConstants.dart
· Change the values of NstKey and NstSecret
· Double-check that there is no difference between the values in the code and those in the admin panel.
· Compile the project and run the new build.
· If configured correctly, the app will show the homepage. Otherwise, an error will appear.
