# Authentication

# End-user JWT authentication

Pass the JWT token in the `Authorization` header as `Bearer <token>`.

## Use

State Backed authenticates requests to ensure that they include a valid JWT
signed by one of your StateBacked keys.

State Backed also passes the user data from the `act` claim of your JWT to your
machine's `allowRead` and `allowWrite` functions to allow you to authorize operations
on machine instances.

## Generation

Use the key (`sbk_...`) and secret (`sbsec_...`) generated from running `smply keys create`
to sign a JWT token with an `act` claim that includes data about your end user
(e.g. a `sub` claim with the user's ID).

```
HS256("sbsec_...", { "kid": "sbk_...", "alg": "HS256" }, { "aud": "https://api.statebacked.dev/", "act": { "sub": "..." }, ... })
```

You can also use our token generation library:
```
import { signToken } from "@statebacked/token";

const jwt = await signToken({
  {
    stateBackedKeyId: process.env.STATEBACKED_KEY_ID,
    stateBackedSecretKey: process.env.STATEBACKED_SECRET_KEY,
  },
  {
    sub: "your-user-id"
  },
  {
    expires: { in: "7d" },
    issuer: "https://your-domain.com/"
  }
});
```