Docs
Start typing to search…

Generating a JWT

Making any calls with the NPM partner API requires authorization

Create a partner account with us

Before you can use the API and generate a token you need to be onboarded by NPM to give you a partner_name, and to sign NPM clients up for cash accounts.

To onboard you as a new cap table partner we will need these configuration values from you that we will set on our side to accept:

  • partner_name - An identifying name of your company
  • iss- Your issuer domain, for example https://yourdomain.com
  • jwks_uri - The path on your iss domain where we can verify your public key used in signing your self signed JWT both contains the public key used to sign the JWT as well as is the expected jwks_uri specified in the token. For example: /path/to/your/jwks

Generating a self signed JWT

To initiate the authorization workflow, you first need to issue your own JWT which is used as part of the auth itself to grant you access. Here is an example of the contents of the self signed JWT you will need to generate:

{
  "iss": "https://yourdomain.com",
  "jwks_uri": "/path/to/your/jwks",
  "aud": "http://sandbox.npmdev.net/api/partners/{partner_name}/oauth2/v1/token",
  "sub": "{account_external_id}",
  "exp": 1720575395
}
  • jwks_uri - this is the standard Oauth field for specifying the URI (on the iss domain) used to retrieve the public key used to encrypt this JWT. While this field has to be specified in JWT you send, this URL also needs to be static and will be set during your onboarding.
  • aud - specifying that this token is only intended to be used by NPM's partner auth as its audience, please note this should be scoped to just our token generating endpoint that is specific to your partner_name.
  • iss - the issuer of this JWT, should be your domain. Once again this also has to match what you specified when doing your partner account onboarding.
  • sub - the external identifier of an NPM account that is signing up for a cash account. This is acquired from this step.
  • exp - the expiry of this token, has to be less than 1 hour

Generating an NPM signed JWT for making your API calls

curl --request POST \
     --url 'https://sandbox.npmdev.net/oauth2/v1/token' \
     --header 'Accept: application/json' \
     --header 'Authorization: Bearer {self signed jwt}' \

Updated about 2 months ago