JWT Authentication

Overview

JSON Web Tokens are an open, industry standard RFC 7519 method for representing claims securely between two parties. Realm Platform offers a JWT provider which allows you to integrate with an existing authentication system. It requires that you modify the authentication server to expose a flow that produces signed JSON Web Tokens that your app then transmits to the Realm Object Server for verification. This is our recommended authentication provider for Realm Platform applications.

Prerequisites

You must have access to an established JWT authentication system (such as Auth0).

You must generate a public/private key pair, which will be shared between your app and the Realm Cloud. You can find a guide here.

Client Authentication

Server URL

To authenticate, you must supply a server URL. This is the base URL for your server, such as https://myinstance.cloud.realm.io or http://127.0.0.1:9080.

Note the authentication URL uses the http/https URL prefix scheme, as user authentication is handled via standard HTTP. Do not confuse the authentication URL structure with the Realm sync URL realm/realms scheme.

Swift
Objective-C
Java
Javascript
.Net
let authURL = URL(string: "https://myinstance.cloud.realm.io")!
NSURL *authURL = [NSURL URLWithString:@"https://myinstance.cloud.realm.io"];
String authURL = "https://myinstance.cloud.realm.io"
const authURL = "https://myinstance.cloud.realm.io";
var authURL = new Uri("https://myinstance.cloud.realm.io");

Credentials

Java
Javascript
.Net
SyncCredentials credentials = SyncCredentials.jwt("my-jwt-token");
const jwtToken = 'acc3ssT0ken...';
Realm.Sync.User.registerWithProvider('http://my.realm-auth-server.com:9080', 'jwt', jwtToken, (error, user) => { /* ... */ });
var jwtToken = "...";
var credentials = Credentials.Custom("jwt", jwtToken, null);

Enable/Disable

Cloud
Self-Hosted

JWT authentication is disabled by default in Cloud, as it requires configuration.

To enable or disable JWT, browse to the Settings menu in your instance in the cloud portal:

By default, the JWTAuthProvider is disabled when creating a project via ros init.

For more details on how to enable or disable this provider, head over to our server docs.

FAQ

JWT Expiration

Presently, the expiration time of a JWT token is only checked on authentication. If it is expired at the time of authentication, the user login will fail. However, after receiving an access token, the user's access is tied to the lifetime of the Realm token rather than the JWT token. This means that a user's access will not be revoked on expiration of the JWT token if they had already successfully authenticated. If this is required, a developer will need to implement this in their application logic in conjunction with a re-authentication screen or a syncuser.logoutcall.

Example Projects

For users who are looking to learn more about integrating JWT in their application. We do have a few tutorials.