End-user JWT authentication

Pass the JWT token in the Authorization header as Bearer <token>.


State Backed authenticates requests to ensure that they include a valid JWT signed by one of your StateBacked keys.

State Backed also passes the user data from the act claim of your JWT to your machine's allowRead and allowWrite functions to allow you to authorize operations on machine instances.


Use the key (sbk_...) and secret (sbsec_...) generated from running smply keys create to sign a JWT token with an act claim that includes data about your end user (e.g. a sub claim with the user's ID).

HS256("sbsec_...", { "kid": "sbk_...", "alg": "HS256" }, { "aud": "", "act": { "sub": "..." }, ... })

You can also use our token generation library:

import { signToken } from "@statebacked/token";

const jwt = await signToken({
    stateBackedKeyId: process.env.STATEBACKED_KEY_ID,
    stateBackedSecretKey: process.env.STATEBACKED_SECRET_KEY,
    sub: "your-user-id"
    expires: { in: "7d" },
    issuer: ""