Your own backend (Auth)

Xumm xApps yield a JWT that can be used to make subsequent calls from the user context to the Xumm API's. You can also use this JWT for your own backend.
If you want to identify a Xumm xApp user with your own backend, you can rely on the xApp JWT's issued by Xumm: the secret used to sign the JWT is your own Xumm application secret (HMAC, HS256).
This makes it really convenient to obtain three things at once, making calls to your own backend with an Autorization: Bearer {The Xumm JWT} header:
  1. 1.
    You obtain basic user information, like the r-address and network the user is connected to, as this information is encoded in the JWT.
  2. 2.
    You can verify the authenticity of the JWT, as it is signed with your own Xumm API Secret.
  3. 3.
    You can make calls from the user context to the Xumm backend with this JWT (for as long as it is valid: 24h).
Every time when a user opens your xApp, a new JWT is issued, valid for 24h.
Please note: if you are using the OAuth2 flow instead of an xApp to obtain your JWT, you can verify the OAuth2 issued RS256 JWT using the certificate info publised as per OpenID specifications: