Howdy again folks. I am doing some API testing rig...
# support-questions
d
Howdy again folks. I am doing some API testing right now using Postman to ensure that my FastAPI path operations are validating that the user has the required roles. I created a JWT token using the docs, however I am getting a 401 response when trying to hit any of the endpoints. I set a base FastAPI dependency of verify_session().
n
Hi
Can I see the backend config?
d
i think i figured out what i was doing wrong. in my Depends statement I was passing the result of verify_session() instead of the callable
but in terms of UserContext, JWT does not provide that. So I am just mocking the expected roles to simulate the validation.
n
So the backend APIs use cookies to verify sessions, have you checked the testing with postman docs?
d
Oh no I didn't know there were docs on that
n
I can point you to it, what recipe are you using?
d
all good, i can find it ๐Ÿ™‚
ty
n
Awesome, in case you dont spot it itโ€™s a separate section in the recipe docs
In the sidebar
d
I think I'm still stuck on this actually
the doc sections related to postman are for validating the recipe API endpoints
im wondering how can i authenticate to my backend API using JWT or API keys
n
So you want to enable using JWTs for the session recipe
d
yes. and i saw that info in the docs.
n
This would generate a JWT in the session data that you can then use
Alright so you have that set up right?
d
yes
session.init( jwt=session.JWTConfig( enable=True, # issuer=f'{api_domain}{api_base_path}' ) ),
do i need issuer set?
should that be the supertokens core URL or the API url
n
So a couple things: - Yep you need to set the issuer to match the api domain and base path with the ones you use in supertokens init - SuperTokens does not verify JWTs, you would have to build this yourself
Nope, the one you used in your backend when you initialised SuperTokens
apiDomain and apiBasePath
Oh im guessing thats python?
d
so what does adding JWConfig to the session init func do
yeap python sdk
for supertokens
n
With enable true, it will store the jwt in your session data and provide an API endpoint that is used by JWKS verifiers to fetch the public key to verify the JWT
d
ah i see
n
So for example if you were to use auth0's library to verify the JWT, you can provide it with a jwks endpoint which would be an PAI exposed by the JWT recipe
d
right
basically i just want a way to hit my APIs via Postman
without having to toggle auth on or off
i generated a JWT against the SuperTokens core api but that is not accepted by my app
n
So unless you absolutely need to use JWTs, I would recommend going with cookies. But if you want to stick with JWTs, you would need to add some custom middleware to your backend to verify the JWT and use that instead of the verifySession middleware that SuperTokens provides
d
cookies would work with postman?
assuming i had a valid browser session
n
Yep the docs should explain how, also you can trigger the sign up flow from postman itself and cookies would still work
d
hm
n
The only thing that wont work is auto refreshing of the session since thats something our frontend SDKs would do normally
But manually calling refresh and then retrying will still work
d
let me see if that works one second
also thanks again for the help
you guys have one of the most active communities ive seen for a project
n
Thanks for the kind words! and we are happy to help
Let us know if you have any issues
d
ohhh
i see
so it spits out the JWT in the user info
n
Yep as part of the access token payload
d
yeah thats not a bad compromise
lemme try it
n
But you stick to cookies you dont even need to enable JWTs unless you need to integrate with a service that requires JWTs
Plain cookie based auth will work just fine between your frontend and backend
d
ok ill test with just cookies
worked like a charm
n
Awesome