Notivize offers two ways to secure your event endpoints against unwanted event injection: API key authentication and JWT authentication. Read more about them and choose which is most appropriate for your use case.

API Key Authentication

API keys are a form of "shared secret" authentication, wherein a long string of random characters is generated by Notivize, and your code uses this same string when communicating with Notivize to prove your identity, since only Notivize and you should know the key. API keys are commonly used for server-to-server integrations where the code runs inside a controlled environment and the API key can be kept secret.

API keys should not embedded in front-end HTML/JavaScript, or in a mobile application such as and Android or iOS app. Any code which runs on the end user's computer (as opposed to your server) is inherently insecure against snooping.

API keys are standard practice for most server-side deployments, including APIs and services in C, C++, Go, Java (non-Android), Node.js, Python, Ruby, and more.

To add an API key:

  1. Click "Settings" in the left menu
  2. Click "Identity & Authentication"
  3. Scroll to "API Keys"
  4. Click "Request API Key"
  5. Name your key
  6. Copy the key for use in your code
  7. Click "Done"

To configure API key authentication:

  1. Click "Workspaces" in the left menu
  2. Select the workspace
  3. Select the notification
  4. Scroll to "Secure your endpoint"
  5. Select your existing API key
  6. Your code samples will update to show how to send the API key with your events.

Notivize API Keys

JWT Authentication

JWT authentication is a form of cryptographic authentication, wherein a trusted source who knows the identity of the user issues a "token" to the user which is cryptographically signed. This token is easy for anyone (e.g. Notivize) to verify, but can only be created by the trusted source (often a social network or an IaaS platform such as Auth0). JWTs are usually used for delegated sign-on on major web platforms such as "Sign in with Google".

JWTs are appropriate for many client-side web frameworks such as AngularJS, React, or Vue, or any mobile or even server-side application which uses authentication that already produces a JWT for the user.

To add a JWT provider:

  1. Click "Settings" in the left menu
  2. Click "Identity & Authentication"
  3. Scroll to "JWT Providers"
  4. Click "Add JWT Provider"
  5. Enter the URL to your public JWK set. These are the public keys which anybody can use to verify the authenticity of a JWT issued by this provider. This parameter is required, and will ensure that only JWTs issued by this provider are honored.
  6. Optionally, enter an audience parameter to verify. This is not required, but is recommended if you are directly using a major social login provider such as Google OpenID. This will ensure that only JWTs which are issued by this provider for this audience are honored.
  7. Click "Check API Credentials"

To configure JWT authentication:

  1. Click "Workspaces" in the left menu
  2. Select the workspace
  3. Select the notification
  4. Scroll to "Secure your endpoint"
  5. Select your existing JWT provider
  6. Your code samples will update to show how to send the JWT with your events.

Notivize JWT Authentication