Skip to main content

Widget Authorization

Legalesign widgets are authenticated components. They make Legalesign API calls internally, so your application must pass a token to the widget before it can operate.

Your backend mints the token. The browser only receives the short-lived token the widget needs.

Token Approaches

There are four ways to provide a token to a widget:

ApproachHow it worksBest for
SRP JWT directlyYour server authenticates with SRP and passes the JWT access token directly to the widget token attributeIntegrations that already use SRP and don't need a scoped token
GraphQL component token (API key)Your server calls generateComponentToken with an API key, then passes the returned short-lived token to the widgetWidget-only integrations that don't use SRP
GraphQL component token (SRP)Your server calls generateComponentToken with an SRP JWT, then passes the returned short-lived token to the widgetSRP integrations that want a scoped, short-lived widget token
REST APIYour server calls the REST component-token endpoint with an API keyREST-only integrations that don't use GraphQL

The GraphQL generateComponentToken mutation supports both API-key and SRP authentication. The REST endpoints are API-key-only.

Never expose API keys or SRP credentials in browser code. Token minting must happen server-side.

Token Options by Widget

WidgetGraphQLRESTReturns
Document ViewergenerateComponentToken(input: { component: LS_DOCUMENT_VIEWER })GET /templatepdf/{pdfId}/component-token/token, expiresIn, expiresAt
SignergenerateComponentToken(input: { component: LS_SIGNER, signer: { recipientId } })GET /signer/{signerId}/component-token/token, sessionId, expiresIn, expiresAt

The token is expected to last about one hour. Use expiresIn or expiresAt from the response to decide when to refresh — don't hard-code the duration.

Export This Article

Save a copy of this page as PDF or plain text.