https://supertokens.com/ logo
Title
d

d3adb0y

12/20/2022, 3:13 PM
Howdy again folks. I am doing some API testing right now using Postman to ensure that my FastAPI path operations are validating that the user has the required roles. I created a JWT token using the docs, however I am getting a 401 response when trying to hit any of the endpoints. I set a base FastAPI dependency of verify_session().
n

nkshah2

12/20/2022, 3:45 PM
Hi
Can I see the backend config?
d

d3adb0y

12/20/2022, 3:47 PM
i think i figured out what i was doing wrong. in my Depends statement I was passing the result of verify_session() instead of the callable
but in terms of UserContext, JWT does not provide that. So I am just mocking the expected roles to simulate the validation.
n

nkshah2

12/20/2022, 3:48 PM
So the backend APIs use cookies to verify sessions, have you checked the testing with postman docs?
d

d3adb0y

12/20/2022, 3:49 PM
Oh no I didn't know there were docs on that
n

nkshah2

12/20/2022, 3:49 PM
I can point you to it, what recipe are you using?
d

d3adb0y

12/20/2022, 3:50 PM
all good, i can find it ๐Ÿ™‚
ty
n

nkshah2

12/20/2022, 3:50 PM
Awesome, in case you dont spot it itโ€™s a separate section in the recipe docs
In the sidebar
d

d3adb0y

12/21/2022, 5:43 AM
I think I'm still stuck on this actually
the doc sections related to postman are for validating the recipe API endpoints
im wondering how can i authenticate to my backend API using JWT or API keys
n

nkshah2

12/21/2022, 5:44 AM
So you want to enable using JWTs for the session recipe
d

d3adb0y

12/21/2022, 5:44 AM
yes. and i saw that info in the docs.
n

nkshah2

12/21/2022, 5:44 AM
This would generate a JWT in the session data that you can then use
Alright so you have that set up right?
d

d3adb0y

12/21/2022, 5:45 AM
yes
session.init( jwt=session.JWTConfig( enable=True, # issuer=f'{api_domain}{api_base_path}' ) ),
do i need issuer set?
should that be the supertokens core URL or the API url
n

nkshah2

12/21/2022, 5:46 AM
So a couple things: - Yep you need to set the issuer to match the api domain and base path with the ones you use in supertokens init - SuperTokens does not verify JWTs, you would have to build this yourself
Nope, the one you used in your backend when you initialised SuperTokens
apiDomain and apiBasePath
Oh im guessing thats python?
d

d3adb0y

12/21/2022, 5:46 AM
so what does adding JWConfig to the session init func do
yeap python sdk
for supertokens
n

nkshah2

12/21/2022, 5:47 AM
With enable true, it will store the jwt in your session data and provide an API endpoint that is used by JWKS verifiers to fetch the public key to verify the JWT
d

d3adb0y

12/21/2022, 5:47 AM
ah i see
n

nkshah2

12/21/2022, 5:47 AM
So for example if you were to use auth0's library to verify the JWT, you can provide it with a jwks endpoint which would be an PAI exposed by the JWT recipe
d

d3adb0y

12/21/2022, 5:48 AM
right
basically i just want a way to hit my APIs via Postman
without having to toggle auth on or off
i generated a JWT against the SuperTokens core api but that is not accepted by my app
n

nkshah2

12/21/2022, 5:49 AM
So unless you absolutely need to use JWTs, I would recommend going with cookies. But if you want to stick with JWTs, you would need to add some custom middleware to your backend to verify the JWT and use that instead of the verifySession middleware that SuperTokens provides
d

d3adb0y

12/21/2022, 5:50 AM
cookies would work with postman?
assuming i had a valid browser session
n

nkshah2

12/21/2022, 5:51 AM
Yep the docs should explain how, also you can trigger the sign up flow from postman itself and cookies would still work
d

d3adb0y

12/21/2022, 5:51 AM
hm
n

nkshah2

12/21/2022, 5:51 AM
The only thing that wont work is auto refreshing of the session since thats something our frontend SDKs would do normally
But manually calling refresh and then retrying will still work
d

d3adb0y

12/21/2022, 5:51 AM
let me see if that works one second
also thanks again for the help
you guys have one of the most active communities ive seen for a project
n

nkshah2

12/21/2022, 5:52 AM
Thanks for the kind words! and we are happy to help
Let us know if you have any issues
d

d3adb0y

12/21/2022, 5:53 AM
ohhh
i see
so it spits out the JWT in the user info
n

nkshah2

12/21/2022, 5:54 AM
Yep as part of the access token payload
d

d3adb0y

12/21/2022, 5:54 AM
yeah thats not a bad compromise
lemme try it
n

nkshah2

12/21/2022, 5:54 AM
But you stick to cookies you dont even need to enable JWTs unless you need to integrate with a service that requires JWTs
Plain cookie based auth will work just fine between your frontend and backend
d

d3adb0y

12/21/2022, 5:54 AM
ok ill test with just cookies
worked like a charm
n

nkshah2

12/22/2022, 4:27 AM
Awesome