Πήγαινε στο κύριο περιεχόμενο

Widget Authorization

Legalesign widgets are authenticated components. They make Legalesign API calls internally, so your application must pass a token to the widget before it can operate.

Your backend mints the token. The browser only receives the short-lived token the widget needs.

Token Approaches

There are two ways to provide a token to a widget:

ApproachHow it worksBest for
SRP JWTYour server authenticates with SRP and passes the JWT access token directly to the widget token attributeIntegrations that already use SRP and need full GraphQL access alongside the widget
Component tokenYour server calls generateComponentToken with an API key, then passes the returned short-lived token to the widgetWidget-only integrations that don't need SRP setup

The generateComponentToken mutation is API-key-only — SRP users don't need it because they already have a valid JWT.

Never expose API keys or SRP credentials in browser code. Token minting must happen server-side.

Token Options by Widget

Widgetcomponent valueScope fieldReturns
Document ViewerLS_DOCUMENT_VIEWERdocumentViewer (optional, not yet enforced)token, expiresIn, expiresAt
SignerLS_SIGNERsigner: { recipientId }token, sessionId, expiresIn, expiresAt

The token is expected to last about one hour. Use expiresIn or expiresAt from the response to decide when to refresh — don't hard-code the duration.

Export This Article

Save a copy of this page as PDF or plain text.