Cobrowse.io Docs
  • Getting started
  • SDK Installation
    • Web
    • iOS
    • Android
    • React Native
    • Flutter
    • .NET Mobile
    • macOS
    • Windows
  • SDK Features
    • Account config
    • Identify your devices
    • Use 6-digit codes
    • Redact sensitive data
    • Viewing PDFs
    • Universal Cobrowse
    • Customize the interface
      • Active session controls
      • 6-digit code screen
      • User consent dialog
      • Remote control consent dialog
      • Full device consent dialog
      • Localization / translation
    • Initiate sessions with push
    • Listening for events
    • Full device capabilities
      • Full device screen sharing
      • Full device remote control
      • Managing full device mode
    • Advanced configuration
      • Starting and stopping the SDK
      • Declaring capabilities
      • Intercepting mobile SDK network requests
      • Web
        • IFrames support
        • IE 11 polyfills
        • Cross-domain session support
        • Ignore Views
      • iOS
        • Alternate render method
        • Custom touch handling
      • Android
        • Backporting TLS to older Android versions
  • Agent-side integrations
    • Agent-side overview
    • Platform integrations
      • Zendesk
      • Salesforce
        • Migrating from legacy to v2
        • Salesforce (Legacy)
      • Genesys
        • Genesys Cloud
        • Engage Workspace Web Edition (WWE)
        • Engage Workspace Desktop Edition (WDE)
      • Intercom
      • Freshworks
      • Talkdesk
      • NICE
    • Custom integrations
    • Agent SDK
      • API Reference
      • Sample code snippets
    • Authentication (JWTs)
      • JWT Policies
    • Authentication (SAML 2.0)
    • IFrame embeds
  • Enterprise self-hosting
    • Self-hosting overview
    • Docker Compose
    • Helm chart
      • Image Pull Secret
      • Environment Variables
      • Optional recording components
      • Pod Annotations
    • AWS terraform
      • AWS metrics configuration
    • Azure terraform
      • Azure metrics configuration
    • GCP terraform
      • GCP metrics configuration
    • Sizing guidelines
    • Running your instance
      • Adding a superuser
      • Limiting account creation
      • Limiting magic link recipients
      • Configuring SMTP
      • Managing your deployment
    • Monitoring your instance
      • Available metrics
      • Self-Hosted Prometheus
    • Advanced configuration
      • Air gap configuration
      • Pin web SDK version
      • L7 firewall configuration
      • Docker proxy configuration
    • Troubleshooting
Powered by GitBook
On this page
  • Example JWT Policies
  • Upgrading from V1 policies

Was this helpful?

  1. Agent-side integrations
  2. Authentication (JWTs)

JWT Policies

Our JWT policy system provides a powerful mechanism to limit what a given agent can do. Which devices a support agent can connect to or which sessions they are allowed to view are a few examples.

PreviousAuthentication (JWTs)NextAuthentication (SAML 2.0)

Last updated 1 year ago

Was this helpful?

Sometimes you may want to limit the scope of what a JWT can be used for. For example, you may want to limit which devices a support agent can connect to, or which sessions they are allowed to view. Our JWT policy system provides a powerful mechanism for you to configure these types of rules.

The rules are defined as an extra policy claim in the , described using the following structure:

{
  version: 2,
  sessions: { ... optional policy description ... },
  devices: { ... optional policy description ... }
}

When a policy claim is specified on a JWT, only the resources allowed by that policy can be accessed, i.e. an empty policy will not allow access to anything.

The policy description allows you to enforce which values must appear on the resources in order for the JWT to be granted access. Only custom_data properties and resource ids are supported in policies at present. See the examples below for how to build your policy.

Example JWT Policies

A policy that limits the JWT to devices only that are associated to a particular user id:

{
  version: 2,
  devices: { custom_data: { user_id: 'my user id here' } }
}

A policy that limits the JWT to sessions only that are associated to a particular user id:

{
  version: 2,
  sessions: { custom_data: { user_id: 'my user id here' } }
}

A policy that limits the JWT to devices and sessions that you have added your own custom data to:

{
  version: 2,
  sessions: {
    custom_data: {
      my_custom_data: 'some value here',
      my_other_custom_data: 'some other value here'
    }
  },
  devices: {
    custom_data: {
      my_custom_data: 'some value here',
      my_other_custom_data: 'some other value here'
    }
  }
}

A policy that allows full access to sessions, but no access at all to devices:

{
  version: 2,
  sessions: { }
}

A policy that allows access to a session with id 12345, but no access at all to devices:

{
  version: 2,
  sessions: { id: '12345' }
}

Upgrading from V1 policies

Version 1 of our JWT policies are being deprecated in favour of a more flexible structure, so you will need to update your integration with a simple change. To upgrade your policy you should add a custom_data object around the policy for each resource type, and an explicit version field to the policy.

For example, a version 1 policy used to start sessions with matching devices looked like this:

{
    devices: { user_id: 'abcde123' } // Old format!
} 

Would become a version 2 policy that looks like this:

{
    version: 2, // add an explicit version of 2
    devices: { custom_data: { user_id: 'abcde123' } }, // Note the new custom_data object
    sessions: {}
}
JWT