# Validation token

Validation tokens are used to attach a Seald identity to :

  • a user identifier noted userId in the application in which the SDK is integrated ;
  • your application identifier appId (found in the administration dashboard).

They are derived from the validationKey which can be retrieved from the administration dashboard.

It is used during identity creation.

# Definition of a userLicenseToken

These tokens are generated offline from the userId of the user for whom a token is being generated, the appId of your application, as well as the validationKey and the validationKeyId.

This license token is generated with a scrypt (opens new window), and is of the form ${validationKeyId}:${nonce}:${token}, with :

  • nonce a random string ;
  • token being scrypt(`${userId}@${appId}-${validationKey}`, nonce) ;
  • scrypt using as parameters:
    • N: 16384 ;
    • r: 8 ;
    • p: 1 ;
    • output size: 64 bytes.

# Reference implementation

The reference implementation is in Node.js :

Following this example, it should be easy to reimplement this generation in other languages. If needed, do not hesitate to contact us for assistance in developing an equivalent function in another language.

# How to integrate it within my application

A validation token must be generated for a user before the Seald identity is created and after the userId has been assigned by the application.

Usually this happens:

  • in return of the API endpoint for account validation by the application backend (email validation for example);
  • in a dedicated authenticated API endpoint accessible only after the account has been validated by the application.

# Security of the validation tokens

The validationKey is secret. If it were leaked, it could result in two effects:

  1. a usurpation of the license quotas associated with the developer account;
  2. overwriting the Seald public identity associated with a user, which can lead to a Man-in-the-middle (opens new window) attack if other precautions are not taken.

WARNING

Therefore, it is imperative that in production environment the generation of the license tokens respects the following conditions:

  1. server side generation of the tokens ;
  2. generation only for authenticated users;
  3. protection of the validationKey by appropriate perimeter security measures (at least do not put it directly in the source code of your application, but in an environment variable).