Once a user is signed in, you can request a Para JWT token. This token will provide attestations for the user’s ID, their identity, and any wallets they have provisioned via your application.

Requesting a JWT Token

You can request a JWT token using either the client method or the React hook. Both approaches return the token itself as well as the JWKS key ID (kid) for the keypair that signed it.

Client Method

import { ParaWeb } from '@getpara/web-sdk';

const para = new ParaWeb('your-api-key');

const { token, keyId } = await para.issueJwt();

React Hook

The token’s expiry will be determined by your customized session length, or else will default to 30 minutes. Issuing a token, like most authenticated API operations, will also renew and extend the session for that duration.

Token Structure

Depending on the user in question, a decoded token payload might resemble the following: 
{
  "data": {
    "userId": "d5358219-38d3-4650-91a8-e338131d1c5e",
    "wallets": [
      {
        "id": "de4034f1-6b0f-4a98-87a5-e459db4d3a03",
        "type": "EVM",
        "address": "0x9dd3824f045c77bc369485e8f1dd6b452b6be617",
        "publicKey": "0x0465434f76c8321f386856c44e735fd365a09d42c1da03489184b651c2052ea1c7b19c54722ed828458c1d271cc590b0818d8c7df423f71e92683f9e819095a8c6"
      },
      {
        "id": "d70f64e4-266a-457e-9cea-eeb42341a975",
        "type": "SOLANA",
        "address": "EEp7DbBu5yvgf7Pr9W17cATPjCqUxY8K8R3dFbg53a3W",
        "publicKey": ""
      }
    ],
    "email": "email@example.com",
    "authType": "email",
    "identifier": "email@example.com",
    "oAuthMethod": "google" // or: undefined | "x" | "discord" | "facebook" | "apple"
  },
  "iat": 1745877709,
  "exp": 1745879509,
  "sub": "d5358219-38d3-4650-91a8-e338131d1c5e"
}

JWKS Verification

Para’s JSON Web Keys Set (JWKS) file(s) are available at the following URLs:
EnvironmentJWKS URL
SANDBOXhttps://api.sandbox.getpara.com/.well-known/jwks.json
BETAhttps://api.beta.getpara.com/.well-known/jwks.json
PRODhttps://api.getpara.com/.well-known/jwks.json

Best Practices

  • Session Verification: For security-critical operations, verify JWT tokens on both client and server sides
  • Token Expiry: Be aware that tokens expire based on your session configuration and plan accordingly
  • Secure Storage: Never store JWT tokens in insecure locations like localStorage for sensitive applications