What are secure requests?

Certain requests in hotglue to fetch tenant-specific information require additional authentication for access.

For instance, if you wish to fetch the raw OAuth credentials for a tenant to make your own requests against the source API, you will need to generate a private signing key and use that to generate a JWT token for access to those endpoints.

To access secure requests you will have to follow these steps:

  1. Generate a private signing key in the hotglue admin panel
  2. Use the private signing key in your backend to generate a JWT token for a specific tenant
  3. Forward this JWT token in your request to the hotglue API for access to low-level, tenant specific information

Generate a private signing key

To generate your private signing key, head to the environment settings page:

From here, press Generate private key under the API Keys section:

🚧

Do not share this private signing key!

For security purposes, hotglue does not store your private signing key. Keys are unique to every hotglue environment and can only be generated by an admin.

You should now store this private signing key in your backend, and use it to create a JWT token for secure requests.

Creating a JWT token

Once you have a private signing token generated, you can generate a JWT token from your backend to make secure requests to the hotglue API.

const jsonwebtoken = require('jsonwebtoken');
const currentTime = Math.floor(Date.now() / 1000);

// TODO: Change this tenant id
const tenantId = "tenant-id";

const token = jsonwebtoken.sign(
  {
    sub: tenantId,
    iat: currentTime,
    exp: currentTime + (60 * 60), // 1 hour from now
  },
  Buffer.from(process.env['HOTGLUE_SIGNING_KEY'], "base64").toString("utf8"),
  {
    algorithm: "RS256",
  }
);