JWT Pass-Through
If your app already issues JWTs to signed-in users, this is the simplest option. You hand Buddy the same token; Buddy verifies the signature with your public keys and maps the claims to an Identity Context. Buddy never sees your signing key.
Prerequisites
- A reachable JWKS URL (recommended) — e.g.
https://auth.example.com/.well-known/jwks.json— or a static PEM public key. - An asymmetric signing algorithm (RS256, ES256, …). Symmetric
HS*tokens are not supported here — use the signed session token method instead. - Short token lifetimes. Buddy honours
expand rejects expired tokens.
Claim mapping
Tell Buddy which claims carry identity. Defaults shown:
| Field | Default claim |
|---|---|
| User ID | sub |
email | |
| Role | role |
Add any extra claims (e.g. plan, tier) as
custom attributes and they become available to the agent.
Example: issue and pass a token
// Node — sign a short-lived token for the signed-in user.
import jwt from 'jsonwebtoken';
const token = jwt.sign(
{ sub: user.id, email: user.email, role: user.role, plan: user.plan },
privateKey,
{ algorithm: 'RS256', expiresIn: '5m', issuer: 'https://auth.example.com' }
);
// Hand it to the widget (see "Authenticating your users").
window.BuddyWidget.setAuthToken(token);# Python — sign with PyJWT.
import jwt, time
token = jwt.encode(
{"sub": user.id, "email": user.email, "role": user.role,
"exp": int(time.time()) + 300, "iss": "https://auth.example.com"},
private_key,
algorithm="RS256",
)Troubleshooting
| Code | Meaning & fix |
|---|---|
AUTH_JWT_INVALID | Signature didn't verify. Check the algorithm and that your JWKS exposes the signing key. |
AUTH_JWT_EXPIRED | Token's exp has passed. Refresh tokens more often, or enable a grace period. |
AUTH_JWT_NO_SUBJECT | No user-id claim found. Set the correct User ID claim. |
AUTH_JWKS_UNREACHABLE | Buddy couldn't fetch your JWKS or use the public key. Verify the URL is public and returns valid JSON. |