Third Party Authentication Using JWT Tokens

By Binoy Chemmagate on September 29, 2016

In the beginning of the year we published a Third-party Authentication Proposal to solicit feedback from the community for an enhanced security framework. Based on the feedback, we chose the mechanism using JWT (JSON Web Tokens). We recently released the new authentication to a few selected customers and now release it to everyone.

With this release offers two types of authentication:

  • origin URL whitelisting (basic authentication) and
  • third-party authentication based on JSON Web Tokens (JWT).

The pros and cons of the basic authentication are covered here, and we will continue to support the basic authentication. Whereas, the JWT framework is based on a public/private key. The developers provide with the public key and have to generate tokens for their users, which validates. This provides higher level of security, however, requires implementing a token generator.

JWT will provide security in two areas, authentication and information exchange.

  1. Authentication: Once the user is authenticated, the subsequent transactions contain a JWT, which contains authorization and access control information.
  2. Information exchange: The information can be signed using private key. The signature is calculated by combining the header and the payload, that implies the data is not tampered.

Here is the diagram explaining the transaction between a WebRTC endpoint and You need to create a shared secret or share a public key using the dashboard.


Third-party authentication using JWT

Third-party authentication using JWT

Breakdown of JWT tokens

A JWT token looks likes this:



Even though it looks quite a messy string, it has three parts separated by dots (“.”).

The first part is a header which tells you the type and algorithm used:


{ "typ":"JWT", "alg":"HS256" }


The second part is the claims body and in our case it shows


The third part shows the cryptographic signature:


For more details about the implementation please check: If you have any questions or comments redarding the JWT framework, send them to support[at]

Tags:, WebRTC Monitoring