What is a JWT?

A JSON Web Token (JWT) is an encrypted token format that securely transfers data such as credentials (authentication and authorization) between two applications. JWT is used only for the Readers' login.

Read about JWT →

Enterprise SSO using JWT

Document360 uses an approach similar to PKCE (Proof Key for Code Exchange) in OAuth to generate the JWT Token.

The high-level diagram below shows how to achieve JWT login flow in Document360.


Steps in the JWT authentication flow

  1. When the end-user tries to access the knowledge base configured with JWT, the Document360 knowledge base will redirect the end-user to the login URL that the team account has configured in Document360 JWT settings

    The assumption here is that the configured login URL resides inside the customer application, which will require authentication

  2. By calling the login endpoint in the customer application, it will invoke the login logic, which will send a request with user details, client ID, and client secret to the Identity server code generation URL to get the auth code

    This communication is done through the backchannel.

  3. The code generation URL will accept the POST requests with the JSON payload mentioned below

    The client ID and secret must be sent as a basic authorization header.

  4. Follow this link to find out how the header needs to be formed for basic authentication

JSON payload

"username" = "firstname + lastname",
"firstName" = "firstname",
"lastName" = "lastname",
"emailId" = "user emailId",
"readerGroupIds": ["Obtain from Reader groups overview page in the Document360 portal (Optional)"],
"tokenValidity": 15 //minutes *()*
  1. The Identity server will generate the code based on the user details, client ID, and client secret and return the generated code to the customer application

    This is done via the backchannel

  2. Once the customer application receives the auth code from the Identity server, the customer app will append the code to the callback URL found in the JWT settings and redirect the user to the callback URL with the code

    For example HTTPS://{project_name}.document360.io/jwt/authorize?code={code}

  3. Once the Knowledge base receives the auth code in the query parameter, it will send the code to the identity server via backchannel for the ID token and access token

  4. Once the Knowledge base has received the ID token, it will create a session on behalf of the user mentioned in the earlier user details

    By default, this session will be valid for 15 minutes. Once the session cookie expires, the end-user will be redirected to the login URL (hosted within the customer application) to get a new code, and the flow will repeat.

  5. The session renewal will be seamless since the user is already authenticated to the customer application

Token validity

The minimum value that can be set is 5 minutes, and the maximum value that can be set is 1440 minutes (1 day).


The HTTP version should be specified (HTTP2 over TLS and version of SSL to TLS 1.2.
Without this, the cURL would fail.

Unlike the other IdP options available (Okta, Azure AD, etc.), the user is not required to have a separate reader account on Document360. The account on the client application is enough.

After enabling the JWT login, the reader can use the client application to log in as a reader account on the Document360 knowledge base site.

Currently, Document360 provides an either-or functionality for the SSO standards. Once the IdP is configured using an SSO standard (SAML, OpenID, or JWT) for a project, the user cannot create another simultaneous session.

For Ex. If a project is configured in the OpenID standard with Okta as IdP, the SAML and the JWT options would be disabled.

SSO Configuration

1. Creating a JWT

  1. Log in to the Document360 portal
  2. Go to Settings → Users & Security → JWT
  3. Create a JWT (Client secret) from here by clicking on the Create JWT button
  4. Copy the generated client secret by clicking on the copy icon and clicking on Close


The same generated Client secret will not be available when you revisit this section. If required, the client's secret must be regenerated.

  1. The JWT configuration page with all the data will be available now

2. JWT configuration

After a JWT is created, the JWT configuration page will be visible.

a. Set up your application - Copy the Client ID, Callback URL, Code generation URL, Client secret and paste it into the appropriate fields in the client application


The configuration page and field arrangement on the client application differ in each client application.

d. JWT basic configuration - Paste the login URL. You can obtain this from the client's application

The reader will land on the new logout page dedicated to the JWT SSO readers if the custom logout link is not provided.

Redirection to other pages instead of the home page

When you configure the JWT post-login, the users are redirected to the Home page of your docs website. If you have not published your Document360 Home page, the users will be redirected to the /docs page.

In scenarios where you want your users to land on an entirely different page in the knowledge base other than the Home or the /docs page, add the code below while you configure your JWT.

URL pattern

https://<Knowledge base URL>/jwt/authorize?code=<code>&redirectUrl=<redirect path>

Parameter Description
Knowledge base URL The main URL of your Knowledge base site
Code Client ID
Redirect URL The new URL you want your users to land on post-login

For example,


Document360 will send the Redirection URL as RedirectPath to the Login endpoint. Once the Login endpoint redirects to the Knowledge base site with the auth code, it should return the Redirection URL as a RedirectUrl parameter.


1. If a configured JWT user logs out of the client application, does that mean they would also be logged out of Document360?

The session on Document360 is independent after the initial Single Sign-On. The user could use Document360 even after logging out of the client application for the specified amount of token validity.

For example. If the token validity is set as 1 day, the Document360 session will be active till the token validity. Once the token expires, they will be logged out.

2. What are the minimum and the maximum token validity bands?

The minimum value that can be set is 5 minutes, and the maximum value that can be set is 1440 minutes (1 day).

3. Can I provide a value that exceeds the allowed token validity band?

Though you provide the value at the configuration time, the value nearest to the minimum or maximum value is assigned as token validity (5 minutes or 1440 minutes).

Read about JWT →