Docs

Generating a JWT

Suggest Edits

Create a partner account with us

Before you can use the API and generate a token you need to be onboarded by NPM to give you a partner_name, and to associate the list of issuers that you currently represent.

To onboard you as a new cap table partner we will need these configuration values from you that we will set on our side to accept:

  • partner_name - An identifying name of your company
  • iss- Your issuer domain, for example https://yourdomain.com
  • jwks_uri - The path on your iss domain where we can verify your public key used in signing your self signed JWT both contains the public key used to sign the JWT as well as is the expected jwks_uri specified in the token. For example: /path/to/your/jwks

Generating a self signed JWT

To initiate the authorization workflow, you first need to issue your own JWT which is used as part of the auth itself to grant you access. Here is an example of the contents of the self signed JWT you will need to generate:

{
  "iss": "https://yourdomain.com",
  "jwks_uri": "/path/to/your/jwks",
  "aud": "http://sandbox.npmdev.net/api/partners/{partner_name}/oauth2/v1/token",
  "sub": "{issuer_id1}",
  "obo_user": "[email protected]",
  "exp": 1720575395
}
  • jwks_uri - this is the standard Oauth field for specifying the URI (on the iss domain) used to retrieve the public key used to encrypt this JWT. While this field has to be specified in JWT you send, this URL also needs to be static and will be set during your onboarding.
  • aud - specifying that this token is only intended to be used by NPM's partner auth as its audience, please note this should be scoped to just our token generating endpoint that is specific to your partner_name.
  • iss - the issuer of this JWT, should be your domain. Once again this also has to match what you specified when doing your partner account onboarding.
  • sub - who you are trying to authenticate as, given that you represent a number of issuer companies to make calls for a given issuer requires a new JWT be issued. The id you specify here is the id you get back from the /issuer_onboarding call for the given issuer which you will use when referencing it in the API calls later.
  • obo_user - for all actions submitted to NPM through this API we need an email for the user who initiated this action, this is for auditing calls made but also for to match permissions on our side. If a user is taking authoritative action on their issuer such as uploading a cap table that user must be an issuer admin on NPM's side as well.
  • exp - the expiry of this token, has to be less than 1 hour

Generating an NPM signed JWT for making your API calls

curl --request POST 'https://sandbox.npmdev.net/api/partners/{partner_name}/oauth2/v1/token' \
     --header 'Accept: application/json' \
     --header 'Authorization: Bearer {self_signed_jwt}'

Updated about 1 month ago