Widget Authorization
Legalesign widgets are authenticated components. They make Legalesign API calls internally, so your application must pass a token to the widget before it can operate.
Your backend mints the token. The browser only receives the short-lived token the widget needs.
Token Approaches
There are three ways to provide a token to a widget:
| Approach | How it works | Best for |
|---|---|---|
| SRP JWT directly | Your server authenticates with SRP and passes the JWT access token directly to the widget token attribute | Integrations that already use SRP and don't need a scoped token |
| Component token (API key) | Your server calls generateComponentToken with an API key, then passes the returned short-lived token to the widget | Widget-only integrations that don't use SRP |
| Component token (SRP) | Your server calls generateComponentToken with an SRP JWT, then passes the returned short-lived token to the widget | SRP integrations that want a scoped, short-lived widget token |
The generateComponentToken mutation supports both API-key and SRP authentication.
Never expose API keys or SRP credentials in browser code. Token minting must happen server-side.
Token Options by Widget
| Widget | component value | Scope field | Returns |
|---|---|---|---|
| Document Viewer | LS_DOCUMENT_VIEWER | documentViewer (optional, not yet enforced) | token, expiresIn, expiresAt |
| Signer | LS_SIGNER | signer: { recipientId } | token, sessionId, expiresIn, expiresAt |
The token is expected to last about one hour. Use expiresIn or expiresAt from the response to decide when to refresh — don't hard-code the duration.
Related
- Document Viewer — includes inline token example
- Signer — includes inline token example
- generateComponentToken
- ComponentToken
- Authenticate with the GraphQL API