Signed Requests & squatch.js

A Signed Request is a chunk of data sent to the SaaSquatch system that includes a JWT or API key which we use to verify that the data originated from a trusted source. This article will focus on use of JWTs to send authorized information to SaaSquatch via squatch.js. To read about authentication for API, see our guide here.

JWTs provide an extra layer of security when using squatch.js as they are created using your API key, which is something that should only be known to yourself and SaaSquatch. This includes creating and updating users, events, and referrals.

While it is possible to turn off Signed Requests, doing so means that data sent to us that includes your tenant alias sent by any party will be able to easily make unauthorized changes to your program.

🔗 Secure Mode Settings

The Secure Mode settings allow you to determine which, if any, of the squatch.js Methods and some of the Open Endpoint API Methods are required to be signed using a JWT or an API key when connecting to the SaaSquatch system.

The configuration settings for Secure Mode can be found on the Install page under the Settings header in the SaaSquatch Admin Portal. The available settings for Secure Mode include Enabled, Disabled, and Custom. By default your program is set to Custom with all options Enabled except for Create/Update Anonymous User and Get User Widget.

🔗 Secure Mode Enabled

With Secure Mode enabled, all calls made using our squatch.js library and Open Endpoint API are required to be signed with a JWT or an API key to verify the contents of the request, regardless of whether or not authentication is required for the method.

🔗 Secure Mode Disabled

Turning Secure Mode off allows you to make any requests to the SaaSquatch System through the squatch.js library and some requests through Open Endpoint API calls without them needing to be signed with a JWT or an API key.

We highly recommend using Signed Requests to reduce your referral program's exposure to a man-in-the-middle security vulnerability. With Signed Requests turned off more attention should be paid to your incoming referrals. We recommend keeping a close watch on incoming referrals and familiarize yourself with how our referral Security Management System functions.

🔗 Custom Secure Mode Settings

🔗 Granular Settings

Option	Auth Required for API even if Disabled?	Description
Create Account/User	Yes	Enable/Disable the ability to create or update Accounts in the SaaSquatch system without use of Signed Requests
Lookup User	Yes	Enable/Disable the ability to lookup users in your program(s) without use of Signed Requests
Apply Referral Code	Yes	Enable/Disable the ability to apply a referral code to a user's account without use of Signed Requests
List Referrals	Yes	Enable/Disable the ability to list all of the referrals for a given user without use of Signed Requests
Create/Update User	Yes	Enable/Disable the ability to create or update a user without use of Signed Requests
Get User Widget	Yes	Enable/Disable the ability to display the widget for the user without use of Signed Requests
Get Share Links	Yes	Enable/Disable the ability to get a user's sharelinks without use of Signed Requests
Track User Events	Yes	Enable/Disable the ability to sending a user event without the use of a Signed Request

🔗 How do I use Signed Requests with squatch.js?

If you have activated secure mode, you will need to generate a JWT using you tenant's API key and include it in the squatch.js being made.

You can learn more about building JWTs and including them with your calls by reviewing our JSON Web Tokens Page.

If you have any questions or run into any issues with using signed requests, please reach out to our Success Team for further assistance.