Widget Authorization
Legalesign widgets are authenticated components. They make Legalesign API calls internally, so your application must pass a token to the widget before it can operate.
Your backend mints the token. The browser only receives the short-lived token the widget needs.
Token Approaches
There are two ways to provide a token to a widget:
| Approach | How it works | Best for |
|---|---|---|
| SRP JWT | Your server authenticates with SRP and passes the JWT access token directly to the widget token attribute | Integrations that already use SRP and need full GraphQL access alongside the widget |
| Component token | Your server calls generateComponentToken with an API key, then passes the returned short-lived token to the widget | Widget-only integrations that don't need SRP setup |
The generateComponentToken mutation is API-key-only — SRP users don't need it because they already have a valid JWT.
Never expose API keys or SRP credentials in browser code. Token minting must happen server-side.
Token Options by Widget
| Widget | component value | Scope field | Returns |
|---|---|---|---|
| Document Viewer | LS_DOCUMENT_VIEWER | documentViewer (optional, not yet enforced) | token, expiresIn, expiresAt |
| Signer | LS_SIGNER | signer: { recipientId } | token, sessionId, expiresIn, expiresAt |
The token is expected to last about one hour. Use expiresIn or expiresAt from the response to decide when to refresh — don't hard-code the duration.
Related
- Document Viewer — includes inline token example
- Signer — includes inline token example
- generateComponentToken
- ComponentToken
- Authenticate with the GraphQL API