Appsmith
GithubDiscordAppsmith CloudCommunity Forum
Search…
v1.3
Introduction
Setup Appsmith
Tutorials
Sample Apps
Templates
How To Guides
Debugging Errors
FAQs
Telemetry
Security
Core Concepts
Connecting to Data Sources
Connect to Databases
Connecting to REST APIs
Basic
OAuth 2.0
Signature Header
Self-signed Certificates
Execute Queries
Query Settings
Displaying Data (Read)
Capturing Data (Write)
Writing Code
Designing an Application
Building Dynamic UI
Access Control
Version Control with Git
JSON Web Tokens (JWT)
Datasource Reference
Amazon / Generic S3
ArangoDB
DynamoDB
Elasticsearch
Firestore
Google Sheets
MongoDB
MS SQL
MySQL
PostgreSQL
Redis
Redshift
Snowflake
SMTP
Framework Reference
Appsmith Context Object
Query
Show Modal
Close Modal
Download
Intervals (Time events)
Show Alert
Navigate To
Store Value
Copy To Clipboard
Reset Widget
JavaScript Editor (Beta)
Widget Reference
Audio
Audio Recorder
Button
Button Group
Camera
Chart
Checkbox
Checkbox Group
Container
Currency Input
Datepicker
Divider
Document Viewer
Form
Filepicker
Icon Button
Iframe
Image
Input
JSON Form
List
Maps
Map Chart
Menu Button
Modal
Multi-select
Multi-tree-select
Phone Input
Progress
Radio Group
Rating
Rich Text Editor
Select
Stat Box
Switch
Switch Group
Tabs
Table
Text
Tree-select
Video
Powered By GitBook
Signature Header
The signature header can be used to verify the authenticity and integrity of API requested made by Appsmith.
This is an option that can be enabled on REST datasources. When enabled, we also require a signature secret (a string of at least 32 characters) as input from the user. The effect of this option being enabled is that every API call made to this datasource will include an additional header, X-Appsmith-Signature, whose value is a JWT signed with the secret provided by the user. Following are details of how this signature is constructed, what the JWT contains and what significance this header holds to users.

Enabling the header

There's two steps to enable the signature header for a particular REST datasource:
  1. 1.
    Set Send Appsmith signature header to Yes.
  2. 2.
    Set the Session Details Signature Key to a random string that is at least 32 characters long.
Now Save the datasource and any action built on top of this datasource should now have an X-Appsmith-Signature header with a JWT (described below) as it's value.

Contents of the JWT

A JWT is made up of three parts. The header, payload and signature. The header and payload are essentially base64 encoded JSON objects.
A typical header JSON object looks like the following:
1
{
2
"alg": "HS256",
3
"typ": "JWT"
4
}
Copied!
A typical payload JSON object looks like the following:
1
{
2
"iss": "Appsmith",
3
"exp": 1516239022
4
}
Copied!

Construction of token and signature

Now, these two are taken to construct the following string (let's call this the body):
1
base64Encode(JSON.stringify(header)) + "." + base64Encode(JSON.stringify(payload))
Copied!
This body is then signed using the algorithm specified in the header's alg key. The secret used to make this signature is the one configured in the datasource by the user. This signature is then appended to the above body, with another "." in the middle.

Significance of the signature

The signature will ensure the authenticity and integrity of this JWT.
Authenticity: Authenticity is the property of the token that proves that the token is originating from Appsmith.
A signature cannot be recreated without access to the secret that was used to create it. The fact that the secret signature is only available to Appsmith and the user, proves the signature's and so the token's authenticity.
Integrity: Integrity is the property of the token that it cannot be tampered with.
The signature is constructed using the body, in addition to the secret. So, if the contents of the header or payload or changed (causing a change in the body part of the token), the signature will not match. However, the signature cannot be recreated by the tamperer since the secret is not available to them. So, integrity is ensured, as long as the secret remains a secret.
Learn more about JWTs at https://jwt.io/introduction/.
Previous
Client Credentials
Next
Self-signed Certificates
Last modified 1mo ago
Copy link
Edit on GitHub
Contents
Enabling the header
Contents of the JWT
Construction of token and signature
Significance of the signature