Widget Authorization
Legalesign widgets are authenticated components. They make Legalesign API calls inside the component, so your application must pass a token to the widget before it can load templates, save changes, or prepare documents.
Your backend should mint the token. The browser should only receive the short-lived token that the widget needs.
Token Options
| Option | How it works | Best for |
|---|---|---|
| SRP JWT | Your server authenticates with SRP, receives a JWT access token, and passes that JWT to the widget token attribute | Integrations that already use SRP or need full GraphQL access |
| Component token | Your server uses a Developer Portal API key to call generateComponentToken, then passes the returned token to the widget token attribute | Widget-only integrations that should avoid exposing broader API credentials |
Never expose SRP credentials or Developer Portal API keys in browser code. Store them on your server and exchange them for a widget token there.
Using a Component Token
Call generateComponentToken from your backend with an API key. The mutation is API-key-only and returns a short-lived ComponentToken.
mutation GenerateViewerToken {
generateComponentToken(input: {
component: LS_DOCUMENT_VIEWER
}) {
token
tokenType
expiresIn
expiresAt
}
}
Only the component field is required. The documentViewer scope field exists in the schema for forward compatibility but is not currently enforced.
The component token is expected to last about one hour, but your code should use the response fields instead of hard-coding the duration. expiresIn gives the remaining lifetime in seconds, and expiresAt gives the absolute expiry time.
Pass the returned token to the widget:
<ls-document-viewer
templateid="dHBsYjQ5YTg5NWQtYWRhMy0xMWYwLWIxZGMtMDY5NzZlZmU0MzIx"
token="RETURNED_COMPONENT_TOKEN"
></ls-document-viewer>
Using an SRP JWT
If your integration already uses SRP authentication, your backend can obtain a JWT access token server-side and pass that token to the widget.
<ls-document-viewer
templateid="dHBsYjQ5YTg5NWQtYWRhMy0xMWYwLWIxZGMtMDY5NzZlZmU0MzIx"
token="SERVER_SIDE_SRP_JWT"
></ls-document-viewer>
Use SRP when the same backend flow also needs full GraphQL schema access. For API-key-backed widget flows, prefer generateComponentToken.