Security & authentication
Authentication ensures your users can securely access the Knock API from your client applications, without you exposing your secret API key and allowing blanket access.
Note: This integration guide references examples from our client-side JS SDK. You only need to add the authentication outlined in this guide if you're integrating Knock on the client-side of your applications to use the Knock in-app feed or the Knock preferences model.
API endpoints that require auth
The following calls require authentication (when called from the client):
- Fetching a user's notification feed
- Marking a message as read, seen, or archived
- Getting or setting a users preferences
Authentication (in development environments)
In a Knock development environment you can use your public key to authenticate all users. You do not need to implement any other security mechanisms.
Client SDK example
React notification feed example
Note: in production environments you will need to authenticate your users using a secure user token. This ensures that your users content is protected and cannot be read by malicious actors.
Authentication (in production environments)
Using our JWT based authentication approach means using a shared secret to sign a new JWT on your backend. This means you can generate the authentication token out-of-band and without an additional network request.
1. Generate the signing key
You can find the signing key in the Knock dashboard under the "Developers" page. Save the private key shown to you here. Note: you won't be shown this key again, so you'll need to regenerate it if you lose access.
2. Sign the JWT
Within your backend application you'll need to sign the JWT and make it available to your front-end client. Usually you'll do this by passing it down as a serialized property on the user, or passing via a cookie.
At a minimum the JWT to be signed must have:
To sign your JWT as middleware in a NodeJS express like app:
3. Send the JWT to the client
In your client application you can now use the JWT to authenticate with Knock:
Client SDK example
React notification feed example
Avoiding authentication
You can avoid authentication altogether by proxying requests to Knock via your backend, although we don't recommend this approach as it will add more latency for your users.