This guide explains how to securely handle user identification when interacting with the Basket API. It explains the JWT-based authentication framework to ensure security and GDPR compliance.
To ensure secure operations, the Basket API requires JSON Web Token (JWT) authentication across all endpoints. This guarantees that only authenticated users can manipulate their own baskets.
- The streaming provider's Identity Provider (IdP) generates and issues JWT tokens.
- Clients include these tokens in the
Authorizationheader with each request. - The Basket API performs two-stage verification:
- Authentication: Validates the cryptographic integrity of the JWT token.
- Authorization: Verifies the token was issued by a trusted authority.
Example JWT Structure:
{
"iss": "https://idp.streamingprovider.com",
"sub": "user123",
"exp": 1716239022
}- The backend provides an anonymous route accessible to users.
- Upon request, the system generates a JWT token using internal public/private key infrastructure.
- The token is returned to the client, which must include it in the
Authorizationheader for all subsequent requests.
Both options can be implemented simultaneously, providing a fallback mechanism to ensure reliability and flexibility.
- Get Basket: GET /baskets/users/{userId}
- Delete Basket: DELETE /baskets/users/{userId}
- Add Product: POST /baskets/users/{userId}/products/{productId}
- Update Product: PATCH /baskets/users/{userId}/products/{productId}
- Delete Product: DELETE /baskets/users/{userId}/products/{productId}
- Start Checkout Session: POST /baskets/users/{userId}/checkout/sessions
- Finish Active Checkout: POST /baskets/users/{userId}/checkout/sessions/finish-active
- Cross-User Protection: Prevents unauthorized access to other users' baskets.
- GDPR Compliance: Reduces exposure of personal identifiers to third parties.
- Improved Authentication: Provides cryptographic verification of request authenticity.
Support
For any questions or support needs during implementation, please contact the Jay Support Team.