Signed Requests
Signed requests provide an additional layer of security for your program by allowing us to validate the data sent to us and confirm it originated from you. This feature is optional, but highly recommended.
JWTs can be used to send authorized information to SaaSquatch via squatch.js or API. Learn more about building JWTs and including them with your calls on our JSON Web Tokens doc.
๐ About signed requests
A signed request is a chunk of data that includes a JWT or API key. We use signed requests to verify that data sent to us comes from a trusted source. If signed requests arenโt used and we receive data that includes your tenant alias, then itโs possible for this data to make unauthorized or unintended changes to your program.
JWTs provide an extra layer of security when using squatch.js because they are created with your private API key. You can use signed requests when creating or updating participants, events and referrals.
๐ Manage signed request settings
Your Secure Mode settings determine which squatch.js and Open Endpoint API methods are required to be signed with a JWT or API key. To manage them, sign in to the Admin Portal, then go to Settings > Security and find the Security Settings section.
Secure Mode can be set to Enabled, Disabled or Custom. By default, your Secure Mode setting is Custom, with all options enabled except for Get User Widget.
Important: We highly recommend using signed requests to reduce your referral program's exposure to a man-in-the-middle security vulnerability. If signed requests are disabled, then more attention should be paid to your incoming referrals.
๐ Secure Mode enabled
With Secure Mode enabled, all calls are required to be signed with a JWT or an API key to verify the contents of the request. This requirement applies regardless of whether authentication is needed for the method.
๐ Secure Mode disabled
Disabling Secure Mode allows you to send requests to SaaSquatch without a JWT or API key. Youโll be able to make any requests through the squatch.js library and some requests through Open Endpoint API calls.
๐ Custom Secure Mode
By default, Secure Mode is set to Custom. Custom settings allow for granular control of the methods that need to be sent with a JWT or API key. Note that some API calls may still be required to be sent with authentication, even if disabled is selected. See our API documentation for details.
Option | Description |
---|---|
Create Account/User | Enable/Disable the ability to create or update Accounts in the SaaSquatch system without use of Signed Requests |
Lookup User | Enable/Disable the ability to lookup users in your program(s) without use of Signed Requests |
Apply Referral Code | Enable/Disable the ability to apply a referral code to a user's account without use of Signed Requests |
List Referrals | Enable/Disable the ability to list all of the referrals for a given user without use of Signed Requests |
Create/Update User | Enable/Disable the ability to create or update a user without use of Signed Requests |
Get User Widget | Enable/Disable the ability to display the widget for the user without use of Signed Requests |
Get Share Links | Enable/Disable the ability to get a user's sharelinks without use of Signed Requests |
Track User Events | Enable/Disable the ability to sending a user event without the use of a Signed Request |