Signed Requests & squatch.js
Signed Requests is an optional but highly recommended feature that provides a layer of security for your program by allowing the SaaSquatch system to validate the data sent to us and confirm it originated from you.
Management of this feature is done through the Tenant Security Settings section of the Install page under Settings.
A Signed Request is a chunk of data sent to the SaaSquatch system that includes a JWT or API key which we use to verify that the data originated from a trusted source. This article will focus on use of JWTs to send authorized information to SaaSquatch via squatch.js. To read about authentication for API, see our guide here.
JWTs provide an extra layer of security when using squatch.js as they are created using your API key, which is something that should only be known to yourself and SaaSquatch. This includes creating and updating users, events, and referrals.
While it is possible to turn off Signed Requests, doing so means that data sent to us that includes your tenant alias sent by any party will be able to easily make unauthorized changes to your program.
🔗 Secure Mode Settings
The Secure Mode settings allow you to determine which, if any, of the squatch.js Methods and some of the Open Endpoint API Methods are required to be signed using a JWT or an API key when connecting to the SaaSquatch system.
The configuration settings for Secure Mode can be found on the Install page under the Settings header in the SaaSquatch Admin Portal. The available settings for Secure Mode include Enabled, Disabled, and Custom. By default your program is set to Custom with all options Enabled except for Create/Update Anonymous User and Get User Widget.
🔗 Secure Mode Enabled
With Secure Mode enabled, all calls made using our squatch.js library and Open Endpoint API are required to be signed with a JWT or an API key to verify the contents of the request, regardless of whether or not authentication is required for the method.
🔗 Secure Mode Disabled
Turning Secure Mode off allows you to make any requests to the SaaSquatch System through the squatch.js library and some requests through Open Endpoint API calls without them needing to be signed with a JWT or an API key.
We highly recommend using Signed Requests to reduce your referral program's exposure to a man-in-the-middle security vulnerability. With Signed Requests turned off more attention should be paid to your incoming referrals. We recommend keeping a close watch on incoming referrals and familiarize yourself with how our referral Security Management System functions.
🔗 Custom Secure Mode Settings
The Custom configurations for Secure Mode allow for granular control over which squatch.js methods and some Open Endpoint API methods are required to be signed with a JWT/API key.
🔗 Granular Settings
|Option||Auth Required for API even if Disabled?||Description|
|Create Account/User||Yes||Enable/Disable the ability to create or update Accounts in the SaaSquatch system without use of Signed Requests|
Enable/Disable the ability to lookup users in your program(s) without use of Signed Requests
|Apply Referral Code||Yes||Enable/Disable the ability to apply a referral code to a user's account without use of Signed Requests|
|List Referrals||Yes||Enable/Disable the ability to list all of the referrals for a given user without use of Signed Requests|
|Create/Update User||Yes||Enable/Disable the ability to create or update a user without use of Signed Requests|
|Create/Update Anonymous User||No||Enable/Disable the ability to Display the Unregistered User Widget without use of Signed Requests|
|Get User Widget||Yes||Enable/Disable the ability to display the widget for the user without use of Signed Requests|
|Get Share Links||Yes||Enable/Disable the ability to get a user's sharelinks without use of Signed Requests|
|Track User Events||Yes||Enable/Disable the ability to sending a user event without the use of a Signed Request|
🔗 How do I use Signed Requests with squatch.js?
If you have activated secure mode, you will need to generate a JWT using you tenant's API key and include it in the squatch.js being made.
You can learn more about building JWTs and including them with your calls by reviewing our JSON Web Tokens Page.
If you have any questions or run into any issues with using signed requests, please reach out to our Success Team for further assistance.