Documentation Index

Fetch the complete documentation index at: https://docs.document360.com/llms.txt

Use this file to discover all available pages before exploring further.

JWT reader groups

  • Updated on Jun 19, 2026
  • Published on Feb 3, 2024
  • 4 minute(s) read
Prev Next

JWT reader groups let you control which sections of your private knowledge base each authenticated reader can access. When a reader logs in through JWT SSO, Document360 uses the reader group IDs in their token payload to determine which project versions, languages, categories, and articles they are allowed to view.

A JWT reader group is identical to a regular Document360 reader group. It inherits the same restriction settings. The only difference is how assignment works: instead of manually assigning readers in the portal, you pass their group IDs directly in the JWT payload.

When to use JWT reader groups

Use JWT reader groups when you need to enforce content-based access restrictions for readers who authenticate through JWT SSO.

Example scenario:

Your sales team needs access to pricing and billing articles but should not have access to API documentation or core technical articles.

Solution:

  1. Create a reader group in the Document360 private project, granting access only to the pricing category.
  2. Assign the sales team members to this reader group.

Other common scenarios include:

  • A customer tier that can only access onboarding guides, not advanced configuration content.
  • Multiple user segments who need different views of the same private knowledge base.

If your knowledge base is public or all authenticated readers should see the same content, reader group assignment is not required.

Before you begin

  • Your project must have JWT SSO configured. If you have not set it up yet, see Configure JWT in Document360.
  • At least one reader group must exist in your project. You can create and manage reader groups from Settings > Users & permissions > Readers & groups > Reader groups tab.
  • You must have a Project Owner or Admin role to access reader group settings.
NOTE

Reader group IDs are only available for JWT-configured projects. They are not visible on regular private knowledge base projects without JWT.

Step 1: Get your reader group ID

Each reader group in Document360 has a unique ID that you include in the JWT payload to assign readers to that group.

  1. Go to Settings > Users & permissions > Readers & groups.
  2. Select the Reader groups tab.
  3. Locate the reader group you want to use. The Group ID is displayed below the group name.
  4. Click the Copy icon to copy the Group ID to your clipboard.
Reader groups interface showing Group ID below each group name with a copy icon.

Step 2: Add reader group IDs to your JWT payload

Once you have the Group ID, include it in the readerGroupIds field of your JWT payload.

Use the following JSON format:

{
  "username": "firstname + lastname",
  "firstName": "firstname",
  "lastName": "lastname",
  "emailId": "user emailId",
  "readerGroupIds": [
    "26b3812e-7879-4407-b1c9-5755c32b886a",
    "674eadcd-793f-4131-b1e0-c1f055cc83b7"
  ],
  "tokenValidity": 15
}

To assign a reader to multiple groups, add each Group ID as a separate entry in the array, separated by commas.

Example for multiple groups:

"readerGroupIds": ["26b3812e-7879-4407-b1c9-5755c32b886a", "674eadcd-793f-4131-b1e0-c1f055cc83b7"]

The tokenValidity field sets how long the token remains valid, in minutes. The minimum value is 5 minutes and the maximum is 1440 minutes (1 day).

When the reader authenticates and accesses the knowledge base, the restrictions defined in their assigned reader group apply automatically. They can only view the project versions, languages, categories, and articles permitted by that group.

Timing of changes

Changes to reader group IDs in the payload (additions or removals) take effect only after the reader's current session expires, based on the token validity period.

Example: If the token validity is set to 30 minutes and you add a new Group ID to the payload, the change will not apply until 30 minutes have elapsed. The same applies when removing a Group ID.

NOTE

Plan any reader group changes with this delay in mind, especially if you need access changes to take effect immediately for a specific reader.

Best practices

  • Keep token validity as short as is practical for your use case. Shorter validity means access changes take effect sooner.
  • Audit your reader group assignments regularly to ensure readers are not retaining access to content they no longer need.
  • Use the copy icon in the portal to paste Group IDs directly, avoiding manual transcription errors.
  • Test reader group assignment after any payload change by logging in as a test reader account to confirm access restrictions are applied as expected.

FAQ

Can a reader belong to more than one reader group?

Yes. You can include multiple Group IDs in the readerGroupIds array. The reader will inherit the combined access permissions of all assigned groups.

Why can't I see the Group ID in my project?

Reader group IDs are only visible in JWT-configured projects. If your project does not have JWT SSO enabled, the Group ID field will not appear under the Reader groups tab.

What happens if I add an invalid Group ID to the payload?

The token will still be generated, but the invalid Group ID will not map to any group. The reader may not have the expected access restrictions applied. Always verify Group IDs by copying them directly from the portal.

If I remove a Group ID from the payload, does the reader lose access immediately?

No. Changes take effect only after the current token expires. If the token validity is set to 30 minutes, access changes will apply after 30 minutes from the last token issuance.

Related articles