Skip to main content
Oftentimes you may already have JWT tokens for your users. Popular authentication libraries such as Firebase, NextAuth, Stytch, or Privy, already use JWTs to represent the log in state of a user. In such cases, you can directly pass Crossmint that exact same JWT on API calls, and Crossmint will be able to validate them. However, you may not currently have JWTs, or you may wish to create a custom JWT scoped only for Crossmint, for additional security reassurance. This guide details the steps necessary to integrate your custom JWT auth with Crossmint.

Issue a Custom JWT for Crossmint

On this integration path, you must perform four high level steps:
  • Create a public/private keypair
  • Generate JWTs
  • Expose a JWKS endpoint
  • Pass the user’s JWT to Crossmint when using relevant APIs

Create the Public/Private keypair

To generate a private key for JWT (JSON Web Token) encryption, you can use several methods depending on your preferred programming language and toolset.
Here’s how you can do it using openssl, a widely used tool for cryptographic operations:
Store the base64 encoded version of the private key to your environment file and then remove the private_key_base64.txt file from your system.
.env
Next, you must extract the public key from the private key:
Store the encoded public key to your environment file also:
.env
This approach helps ensure that your private key is stored securely. The corresponding public key can be used to verify the JWTs signed with the private key.

Creating the JSON Web Token

JSON Web Tokens, or JWT for short, are a standard way to encode a series of claims in a payload, that you sign, and can be verified later by a separate party (verifier, in this case, Crossmint) by using public key cryptography. Crossmint requires you to create a JWT with the following claims: In addition, you must ensure you follow the following configurations when creating the tokens: Below is some backend example code to generate a valid JWT for a given user. First, ensure you have the jose package installed: npm install jose.

How to Test

Use the jwt.io token debugger to decode and inspect your tokens. You can also test locally on your machine decoding your own token and ensuring the fields are properly decoded, using jose.

Expose a JWKS Endpoint

In the step earlier, you learned how to create JWT tokens that Crossmint can interpret. However, in order for Crossmint to validate that these tokens are coming from your project and not an impersonator, Crossmint must validate their signatures against your public key. You must communicate to Crossmint what your public keys are by using a standard JSON Web Key Set endpoint (JWKS). This is a public API endpoint on your server where you can broadcast what are the current keys valid for your tokens. The reason why this is implemented as an API, instead of you passing Crossmint a static public key in the console, is in order to support key rotation of your JWT keys in the future. Below is a very basic example
Once your endpoint is set up, share the URL with your Crossmint Customer Success Engineer.

Passing the JWT to Crossmint in API Calls

The last step to complete the loop is that when you’re invoking a Crossmint API, you must pass the JWT. At this time, the only API that uses it is getOrCreateWallet() in the Smart Wallet SDK, which takes the JWT as an input.

Advanced Topics

Key Rotation

The private key used for signing your signatures could, over time, be compromised. Crossmint recommends that you rotate your keys every 6 months to a year. When performing a rotation, keep the old key if possible as a valid key for a day or so, to ensure none of your existing tokens expire.