JWT and token signing

Zlick requires jwt token as one of the function inputs. We do that to be able to verify the source of requests. More info about web tokens can be found at jwt.io.

JWT tokens are signed by the client secret provided to you by Zlick team. You must sign this token with the secret using the 'HS256' algorithm.

Important Note:

JWT signing must only be done on your server and you should never expose your client secret to frontend.

JWT header

The header of the web token must be:

{
  "alg": "HS256",
  "typ": "JWT"
}

There are 2 types of payload supported:

Standard Payloads

The two payloads that are used to make JWT tokens to authenticate any zlick API are listed below. For methods related to purchase and subscription we would need the token to have purchase and subscription payload, respectively. Parameters contentId or productName help us identify the configured content/product on Zlick. Where as token parameter (client token provided by zlick) helps us authenticate the client.

Purchase Payload

{
  "contentId": "123", // (Required) Your content ID
  "amount": 20, // (Required) Purchase price in change (cents, cross, pennies etc. )
  "token": "clientToken", // (Required) client token provided by Zlick
  "clientUserId": "456", // Optional: Your own system's userID
  "referenceName": "ARTICLE-4076" // Optional: A reference name that will be visible for this product in Zlick Portal
}

Subscription Payload

{
  "productName": "123", // name of product that is configured on Zlick
  "token": "Token", // client token provided by Zlick
  "clientUserId": "456" // Optional: Your own system's userID
}