Authorization

When a user logs in to your app and becomes authenticated, SocialLive issues the user an app access token. This token is signed by SocialLive and cannot be spoofed.

When your frontend makes a request to your backend, you should include the current user's access token in the request. This allows your server to determine whether the requesting user is truly authenticated or not.


Access token format

SocialLive access tokens are JSON Web Tokens (JWT), signed with the EdDSA algorithm. These JWTs include certain information about the user in its claims, namely:

  • sid is the user’s current session ID

  • sub is the user’s SocialLive ID

  • iss is the token issuer, which should always be auth.social.live

  • aud is your SocialLive app ID

  • iat is the timestamp of when the JWT was issued

  • exp is the timestamp of when the JWT will expire and is no longer valid. This is generally 30 minutes after the JWT was issued.

Last updated