After you have set up and tested your JWT configuration, Document360 gives you full control over how each configuration behaves in production. You can enable or disable individual configurations, regenerate secret tokens, manage how readers are routed to the correct JWT setup, control how the reader login page appears, and review a complete audit trail of all changes.
Before you begin
- Only users with the Owner or Admin project role can manage JWT configurations.
- At least one JWT configuration must already exist in your project. If you have not created one yet, see Configure JWT in Document360.
Managing configurations
Enable or disable a JWT configuration
You can deactivate a JWT configuration without deleting it. This is useful when you need to temporarily suspend a configuration without losing its settings.
- Go to Settings () > Users & permissions > JWT.
- Locate the JWT configuration you want to manage.
- Click the Edit () icon on the configuration.
- Expand Advanced settings.
- Toggle Enable JWT authentication off to deactivate, or on to reactivate.
- Click Save.
Delete a JWT configuration
- Go to Settings () > Users & permissions > JWT.
- Locate the JWT configuration you want to remove.
- Click the Delete () icon.
- Confirm the deletion when prompted.
Regenerate secret tokens
Each JWT configuration has a primary secret token and a secondary secret token. The secondary token exists specifically to support rotation: it allows authentication to continue while you update the primary token in your application, preventing any service interruption.
Regenerating a token immediately invalidates the previous token. You must update your application with the new token right away to avoid authentication failures.
- Go to Settings () > Users & permissions > JWT.
- Click the Edit () icon on the configuration.
- Under JWT keys, click Regenerate next to the token you want to replace.
- Copy the new token immediately. Tokens are shown only once and are not stored in Document360.
- Update your application with the new token.
- Click Save.
Managing reader access
Domain-based reader routing
When multiple JWT configurations are active, Document360 routes each reader to the correct configuration based on the domain name they enter on the login page.
Document360 applies a most-specific-match rule. If both example.com and support.example.com are configured, a reader entering support.example.com is routed to that configuration rather than the parent domain. This allows sub-domains to be handled by dedicated configurations without conflict.
Additional routing rules:
- Domain matching is case-insensitive and each domain name must be unique across all JWT configurations in the project.
- If the matched configuration is inactive, the reader is directed to the default login options.
- If no match is found, the reader is directed to the default login options.
- The domain name field applies to JWT routing only. SSO providers cannot be accessed through this field.
JWT and SSO coexistence
JWT and SSO (SAML or OpenID) configurations can be active simultaneously in the same project. Each type is managed independently. Modifying a JWT configuration has no effect on SSO configurations, and vice versa. This allows organizations to support readers from different identity systems through a single knowledge base portal without any conflict between authentication methods.
Example: Enterprise customers may authenticate via JWT tied to your application, while internal team members sign in through a centralized identity provider such as Okta using SAML. Both methods can be active at the same time without interference.
Login button limits
A maximum of 3 JWT login buttons and 5 SSO login buttons can be displayed on the reader login page at any time. These limits are applied independently.
| Authentication type | Maximum login buttons displayed | Access beyond the limit |
|---|---|---|
| JWT | 3 | The first 3 JWT configurations are displayed as sign-in buttons based on their CTA position order. Readers can authenticate by entering their domain name in the Domain name field. Up to 5 JWT configurations can be active in total. |
| SSO | 5 | Only the first 5 SSO providers (by CTA position order) are displayed. SSO providers beyond this limit are not accessible to readers through any means. |
For example, if 5 JWT configurations are active, 3 appear as login buttons and the remaining 2 are accessible only through domain entry. If 6 SSO configurations are active, only 5 are accessible. The 6th cannot be reached by readers.
When the 3-button limit for JWT is reached, all Project Admins receive a system notification: "You've reached the limit of 3 JWT login buttons. Additional JWT configurations will not appear as buttons on the login page. Readers can still sign in by entering their domain name."
Reaching the JWT button limit has no effect on the SSO button limit, and vice versa.
Reader login page states
The login page shown to readers depends on two factors: the state of the Disable default login page toggle and which JWT and SSO configurations are currently active.
| State | Toggle | JWT active | SSO active | Reader experience |
|---|---|---|---|---|
| 1 | OFF | No | Yes | Standard email/password form with SSO login buttons |
| 2 | OFF | Yes | Yes | Standard email/password form with SSO and JWT login buttons |
| 3 | OFF | Yes | No | Standard email/password form with JWT login buttons |
| 4 | ON | No | Yes | SSO login buttons only, no email/password form |
| 5 | ON | Yes | No | Domain name input field with JWT login buttons, no email/password form |
| 6 | ON | Yes | Yes | Domain name input field with JWT login buttons and SSO, no email/password form |
Rules that apply across all states:
- Only active configurations are displayed. Inactive configurations are never shown to readers regardless of toggle state.
- The Domain name input field is displayed whenever the toggle is ON and at least one JWT configuration is active. This ensures that JWT configurations without a visible login button remain reachable through domain entry.
- If all JWT and SSO configurations are inactive while the toggle is ON, readers are shown a message indicating that no login options are currently available.
- Changes to toggle state or configuration status take effect immediately for new reader sessions. Existing authenticated sessions are not affected.
Enable the Disable default login page toggle only after JWT or SSO authentication has been fully configured and tested. If the external authentication provider is misconfigured, readers will be unable to access the knowledge base.
Monitoring and audit
Audit logging
All JWT configuration actions are automatically captured in the audit log, providing a complete and tamper-proof record of changes for compliance and security review purposes.
Actions logged:
- Create, Update, Delete
- Enable, Disable
- Regenerate Primary Token, Regenerate Secondary Token
- Enable/Disable Direct JWT Login
- Enable/Disable Default Login Page toggle
Each log entry records the action type, timestamp (UTC), the identity of the administrator who performed the action, and the configuration name at the time of the action. For update actions, the log captures the specific fields that changed along with the previous and new values. Token values are never recorded; only the fact of rotation is logged to protect credential security.
Logs are retained for a minimum of 90 days. Access to JWT audit logs is restricted to users with Security & Audit permissions.
To enable JWT activity tracking:
- Go to Settings () > Security & Audit > Team auditing > Audit configuration.
- Enable the relevant JWT event toggles.
- Once enabled, JWT activity appears in the Team auditing tab. Use the Event dropdown and search for "JWT" to filter by event type.
Email notification recipients:
| Event type | Recipients |
|---|---|
| All JWT configuration events | Project Admins |
| Secret token regeneration | Project Admins and Project Owners |
Best practices
- Use the secondary secret token as a rotation buffer. Always update the secondary token in your application first, then rotate the primary token. This prevents authentication failures during credential rotation.
- Disable rather than delete JWT configurations when troubleshooting. Disabling preserves your settings and lets you reactivate without reconfiguring.
- Enable Direct JWT login only when JWT is the sole authentication method. When multiple methods are active, disable it so readers can choose their sign-in option.
- Test the Disable default login page toggle in a staging environment before enabling it in production.
- Review the audit log regularly to detect unexpected configuration changes or token regenerations.
- Keep the number of active JWT configurations to what you actively use. Unused configurations create unnecessary management overhead and potential security exposure.
FAQ
Can JWT and SSO be active at the same time?
Yes. JWT and SSO (SAML or OpenID) configurations can coexist in the same project without conflict. Each type is managed independently and changes to one do not affect the other.
What happens if I lose my secret token?
Secret tokens are displayed only once at creation. If lost, navigate to the Edit configuration modal and click Regenerate for the relevant token. Regeneration immediately invalidates the existing token. Update your application with the new token right away to avoid authentication failures.
How many JWT configurations can I have in one project?
You can create up to 5 JWT configurations per project. Up to 3 of them can appear as login buttons on the reader login page. Readers can reach additional configurations by entering their domain name in the Domain name field on the login page.
If I disable a JWT configuration, does it affect existing reader sessions?
No. Disabling a configuration prevents new sign-ins through that configuration but does not terminate existing authenticated sessions. Those sessions remain active until the token expires.