Authentication

To use Smart Auth Authentications API, you will need to generate Smart Auth access token. This page shows the steps on how to create the key, generate the access tokens and the recommended ways to do it.

Getting your Smart Auth key

Go to the Smart Auth tokens page;
If you do not have a token, generate one.
Retrieve the clientId and clientSecret from one of the generated tokens.

You can repeat this procedure to generate accesses combining different functions and SDKs.

Generating your token

Recommended method

The following steps describe how you can generate a token that is valid only for a specific user. This is the recommended way to generate and distribute tokens because it limits a possible attack to a single user account.

At some point in your application flow, create a JWT with the structure of the example below;
- Remember to replace the {clientId}, {personId} and {expiresAt} fields.
- All of these fields are strongly recommended, but you can see which ones are required at the bottom of this page.
Sign the token with your clientSecret;
Send this token to your application.

Example:

{
    "iss": "{clientId}", // string
    "exp": {expiresAt}, // number
    "personId": "{personId}" // string
}

Not recommended method (only for tests)

Go to jwt.io;
Keep the Header field, do not change;
Edit the payload, only the iss field is required;
Replace **** your-256-bit-secret with your clientSecret;
Click Share JWT to copy the generated token to the clipboard;
Use this token to authenticate the SDK.

JWT payload parameters

Parameter

Required

Description

iss

Yes

Your clientId

exp

Expiration time (seconds since the Unix Era)

personId

The CPF (Individual Taxpayer Registration Number) for which the token will be valid

Best practices for token-based authentication

To ensure a secure and reliable integration when using token-based authentication with our service, follow these recommended practices and avoid common pitfalls.

✅ Recommended practices

Practice

Description

Generate and sign tokens on the server

Always issue JWTs from your trusted backend system to avoid exposing signing keys.

Use HTTPS for all communications

Prevent man-in-the-middle attacks and ensure encryption in transit.

Use short expiration times for JWTs

Minimize the window for token misuse in case of interception. Tokens should typically expire within a few minutes.

Monitor token usage and behavior

Implement logging and monitoring to detect abnormal or suspicious activity.

❌ Unsafe practices

Practice

Risk

Generating tokens on the frontend

Exposes your signing keys and compromises the entire authentication system.

Storing signing keys or secrets in frontend/mobile apps

Secrets in client-side code can be extracted and misused.

Using long-lived tokens

Increases the window of vulnerability in case of leakage.

Hardcoding secrets in version-controlled code

Secrets in code repositories can be leaked or accessed by unauthorized users.

Security tip

Never expose your secrets, private keys, or JWT signing credentials on the client-side. Always treat tokens and secrets as sensitive data and follow the principle of least privilege.

Last updated 18 days ago