API and Webhooks

Authenticating API v2 calls with JWT

You can use Higher Logic Vanilla's JWT addon to authenticate against the API v2, in addition to the normal web SSO flow.

What is a JWT?

JWT stands for JSON Web Token. JSON Web Tokens are an open, industry-standard RFC 7519 method for representing claims securely between two parties. In order to use this authentication, you must create a JWT and pass it as a bearer token for API calls.

More information about JWTs is available at jwt.io.

Required JWT information

Below is the information that is required for the JWT.

Header

typ - Hardcoded to JWT.
alg - We support the HS256 HMAC hashing algorithms.

Payload

iss - The issuer (usually the domain of the Authentication Provider).
sub - A unique identifier passed that will always accompany the user when they log in. This is the UniqueID in regular SSO.
aud - The intended audience (usually the URL of the community).
email - The email address of the user.
displayname - The username to be displayed on the site.
exp - The expiry time of the token (UNIX time stamp).
Either iat or nbf - UNIX time stamp when the token was created. We will reject any token that doesn't have one or has one set in the future.

The payload can optionally include:

picture - The URL of a profile picture displayed on the site. If one is not present, the user can upload one afterwards.

Sign the JWT

Sign your JWT with the same secret in the JWT settings.

🛑 IMPORTANT: Make sure this secret stays on your server; otherwise, your authentication may be compromised. If your secret ever gets leaked, we recommend changing it immediately.

Pass the JWT to API calls

Pass the JWT in the header as an RFC 6750 bearer token in the Authorization header, as in:

Authorization: Bearer <your_JWT>

Be sure to enter a space between "Bearer" and your actual JWT.

Using a JWT without SSO

Sometimes you may use another SSO method for the web flow, but still want to use a JWT for API calls.

📝 NOTE: Currently, there's no official way to disable the regular JWT SSO, but if your main SSO method is set to the default, you won't see the JWT sign-in option on your site. We will be adding a config option to disable the JWT SSO web flow in the near future.

Read this next!

Mute Posts
As a member of an online community, you'll likely Follow and engage with numerous posts from other users, not to mention create your own posts that others engage with. Over time, you may come across threads that produce a high volume of engagement that you're not interested in, and this engagement can result in a similar…
Vanilla Co-Deploy
Co-Deploy: Empowering Customization for Your Community Forum At Higher Logic Vanilla (HLV), we understand that each organization has unique needs when it comes to community engagement. While many platforms offer basic theming and branding tools, Co-Deploy goes a step further, allowing Enterprise+ customers to fully…
Higher Logic – AI Terms of Use
Additional Terms for Use of AI Features By activating and/or using AI Features within the Software Services, the following terms (“AI Terms”) are hereby added to and become part of the Agreement between Higher Logic, LLC and your organization. Capitalized terms not defined in these AI Terms have the meanings given in the…
Create a Custom Layout Title Bar
In Higher Logic Vanilla (Vanilla), there are two types of Title Bars: Each Style Guide theme includes a Title Bar. Because a theme is applied community-wide, this functions as a default Title Bar that displays on every page. Communities that leverage Vanilla's custom page layouts can optionally create a custom Title…