> Agent-readable docs index: /llms.txt. Download /docs.zip to grep all markdown files locally.

---
title: "JWT Authentication"
description: "Enhance your app's security through the use of short-lived access tokens."
---

## How It Works

<Steps>
  <Step title="Generate an RSA key pair">
    <Tabs items={["shell"]}>
      <Tab title="shell">
        ```bash
        openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:2048
        openssl rsa -pubout -in private_key.pem -out public_key.pem
        ```
      </Tab>
    </Tabs>

    Store your private key securely. You will need it to sign access tokens later.
  </Step>

  <Step title="Setup your account">
    Log in to [https://console.rye.com](https://console.rye.com/account), and update the public key field in your account settings.
    ![](/_holocron/images/d8897706-jwt-validation.png)
  </Step>

  <Step title="Generate access tokens">
    Create an endpoint within your backend system designed to generate and provide access tokens for your frontend application.

    <Tabs items={["TypeScript"]}>
      <Tab title="TypeScript">
        ```typescript
          import jwt from 'jsonwebtoken';

          function generateToken(): string {
            return jwt.sign(
              {},
              RSA_PRIVATE_KEY,          // The private key generated in Step 1.
              {
                algorithm: 'RS256',
                expiresIn: '1h',        // Rye's policy restricts TTL durations to a maximum of one hour.
                audience: JWT_AUDIENCE, // graphql.api.rye.com for production, staging.graphql.api.rye.com for staging.
                issuer: JWT_ISSUER,     // Your unique issuer value can be found in the Rye console under the Account tab. Note this value is unique per environment (staging vs production)
              }
            );
          }
        ```
      </Tab>
    </Tabs>
  </Step>

  <Step title="Use the access token">
    Include the access token within the Authorization header for any requests made to the Rye API.

    <Tabs items={["TypeScript"]}>
      <Tab title="TypeScript">
        ```typescript
          const response = await axios.post(
            RYE_API_ENDPOINT,
            GRAPHQL_REQUEST_BODY,
            {
              headers: {
                'Authorization': `Bearer ${JWT_TOKEN}`,
                'Content-Type': 'application/json',
              },
            }
          );
        ```
      </Tab>
    </Tabs>

    <Note>
      When utilizing JWT authentication, there's no need to include the `Rye-Shopper-IP` header in your requests, as Rye will automatically use the client's IP address.
    </Note>
  </Step>
</Steps>


---

*Powered by [holocron.so](https://holocron.so)*