One of the most common help center questions we receive to our support mailing list is concerning our REST API. Our REST API has only grown in popularity as more and more large WebRTC services develop mobile apps.
When our customers look to integrate with the REST API, the authentication process can be far from trivial, especially for a new or inexperienced user. Unfortunately, the biggest problem seems to come from the very first step: understanding how to self-sign the token initially with ES256.
For engineers familiar with different PKI-based systems, self-signing the token with ES256 seems straightforward. However, many application developers do not have this background knowledge, and have had difficulties getting through this step. Whenever we identify problems that are a consistent issue for many individuals, we try to resolve them as thoroughly as we can. This typically results in several different resources for our customers so we can try to address many different learning styles and be as accessible as possible.
Signing the Token with ES256
For this specific instance, there are two different ways to sign the token with ES256. Our customers may either:
Delegate it to their own authentication server. The authentication server will generate the token and sign it with ES256.
Generate the JWT on the application side. This is done by embedding the private key in the application, or letting the application download it from somewhere (for example, Amazon S3). This is not typically recommended, as it exposes the private key to the device owner or a potential malicious application user. However, it is still a possibility for authentication.
We have several resources available to resolve this issue, including our REST API documentation, a blog post on third-party authentication using JWT tokens, and a help center article.
Integrating the REST API Series
We also released a series on how to integrate the callstats.io REST API, which releases new articles every few months.
Our goal is to be as accessible, helpful, and transparent to our customers as possible, whether they are experts on the platform or beginners. This is one of the main reasons we released our help center almost two years ago.