SaaSquatch Help Center

Signed requests provide an additional layer of security for your program by allowing us to validate the data sent to us and confirm it originated from you. This feature is optional, but highly recommended.

JWTs can be used to send authorized information to SaaSquatch via squatch.js or API. Learn more about building JWTs and including them with your calls on our JSON Web Tokens doc.

๐Ÿ”— About signed requests

A signed request is a chunk of data that includes a JWT or API key. We use signed requests to verify that data sent to us comes from a trusted source. If signed requests arenโ€™t used and we receive data that includes your tenant alias, then itโ€™s possible for this data to make unauthorized or unintended changes to your program.

JWTs provide an extra layer of security when using squatch.js because they are created with your private API key. You can use signed requests when creating or updating participants, events and referrals.

๐Ÿ”— Manage signed request settings

Your Secure Mode settings determine which squatch.js and Open Endpoint API methods are required to be signed with a JWT or API key. To manage them, sign in to the Admin Portal, then go to Settings > Security and find the Security Settings section.

Secure Mode can be set to Enabled, Disabled or Custom. By default, your Secure Mode setting is Custom, with all options enabled except for Get User Widget.

Important: We highly recommend using signed requests to reduce your referral program's exposure to a man-in-the-middle security vulnerability. If signed requests are disabled, then more attention should be paid to your incoming referrals.

๐Ÿ”— Secure Mode enabled

With Secure Mode enabled, all calls are required to be signed with a JWT or an API key to verify the contents of the request. This requirement applies regardless of whether authentication is needed for the method.

๐Ÿ”— Secure Mode disabled

Disabling Secure Mode allows you to send requests to SaaSquatch without a JWT or API key. Youโ€™ll be able to make any requests through the squatch.js library and some requests through Open Endpoint API calls.

๐Ÿ”— Custom Secure Mode

By default, Secure Mode is set to Custom. Custom settings allow for granular control of the methods that need to be sent with a JWT or API key. Note that some API calls may still be required to be sent with authentication, even if disabled is selected. See our API documentation for details.

Option Description
Create Account/User Enable/Disable the ability to create or update Accounts in the SaaSquatch system without use of Signed Requests
Lookup User Enable/Disable the ability to lookup users in your program(s) without use of Signed Requests
Apply Referral Code Enable/Disable the ability to apply a referral code to a user's account without use of Signed Requests
List Referrals Enable/Disable the ability to list all of the referrals for a given user without use of Signed Requests
Create/Update User Enable/Disable the ability to create or update a user without use of Signed Requests
Get User Widget Enable/Disable the ability to display the widget for the user without use of Signed Requests
Get Share Links Enable/Disable the ability to get a user's sharelinks without use of Signed Requests
Track User Events Enable/Disable the ability to sending a user event without the use of a Signed Request