> ## Documentation Index
> Fetch the complete documentation index at: https://docs.goshippo.com/llms.txt
> Use this file to discover all available pages before exploring further.

<AgentInstructions>

## Submitting Feedback

If you encounter incorrect, outdated, or confusing documentation on this page, submit feedback:

POST https://docs.goshippo.com/feedback

```json
{
  "path": "/docs/Guides_general/authentication_using_JWT",
  "feedback": "Description of the issue"
}
```

Only submit feedback when you have something specific and actionable to report.

</AgentInstructions>

# Authentication using JWT

> Generate JWTs to securely authenticate client-side apps with the Shippo API for white label or gray label integrations.

For server-side applications where you can keep API keys secure, follow our [Authentication](/docs/Guides_general/authentication) guide.
For your client-side applications, we recommend using a JWT to securely authenticate. Following this guide to generate a JWT for your application.

<Info>
  **note**

  Depending on the path you choose for integration, there is a different set of instructions. Refer to our [integration paths](/docs/Guides_general/integration-paths) for more details.
</Info>

## Generate a JWT for an eCommerce store

If you have an eCommerce store that you want to add shipping to, you can generate a JWT using your own Shippo API key.
Follow this example that uses the `embedded/authz/` endpoint to create a JWT.

```shell JWT for eCommerce merchant request theme={null}
curl --location --request POST 'https://api.goshippo.com/embedded/authz/' \
--header 'Authorization: ShippoToken <API_TOKEN>' \
--header 'Content-Type: application/json' \
--data-raw '{
    "scope": "embedded:carriers"
}'
```

```json JWT for eCommerce merchant response theme={null}
{
  "token":      "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c", 
  "expires_in": "1682364890"
}
```

The `token` is the JWT and `expires_in` is a unix timestamp representing when the token expires.

## Generate a JWT for a white label integration

If you have not already, review our guide on [Shippo Platform accounts](/docs/PlatformAccounts/platform_accounts). You must have a Platforms account to create and use Managed Shippo Accounts.

If you do not know your customer's Shippo Account ID, refer to this guide to [retrieve your user's Shippo Account ID](/docs/ShippingElements/auth#1-retrieve-your-users-shippo-account-id).

To generate a JWT for a Managed account, call the `embedded/authz/` endpoint and set the `object_id` of your customers Shippo Account ID to the `SHIPPO-ACCOUNT-ID` in the header of the call.

```shell JWT for white label request theme={null}
curl --location --request POST 'https://api.goshippo.com/embedded/authz/' \
--header 'Authorization: ShippoToken <API_TOKEN>' \
--header 'SHIPPO-ACCOUNT-ID: e0b382dc7d754c0ca6358c09d5d2bdf7' \
--header 'Content-Type: application/json' \
--data-raw '{
    "scope": "embedded:carriers"
}'
```

```json JWT for white label response theme={null}
{
  "token":      "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c", 
  "expires_in": "1682364890"
}
```

The `token` is the JWT and `expires_in` is a unix timestamp representing when the token expires.

## Generate a JWT for a gray label integration

If you have not already, follow the steps in our [guide to request your OAuth key](/docs/OAuth_Integrations/OAuth) and get access to a Bearer Token.

There are 2 ways you can generate your own JWT for gray label integration.

### 1. Direct Authorization API

```shell JWT for gray label request theme={null}
curl --location --request POST 'https://api.goshippo.com/embedded/authz/' \
--header 'Authorization: Bearer <OAUTH_BEARER_TOKEN> \
--header 'Content-Type: application/json' \
--data-raw '{
    "scope": "embedded:carriers"
}'
```

```json JWT for gray label response theme={null}
{
  "token":      "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c", 
  "expires_in": "1682364890"
}

```

The `token` is the JWT and `expires_in` is a unix timestamp representing when the token expires.

### 2. User Server Side Remote Procedure Call to generate JWT

```shell theme={null}
service user {
  rpc DirectAuthorization(DirectAuthorizationRequest) : DirectAuthorizationResponse
}

message DirectAuthorizationRequest {
 context
 requestor: // integration user id
 requested_subject: // alice's id
 token_type: 'jwt'
}
```

```json Response theme={null}
message DirectAuthorizationResponse {
  token: 
  // encoded jwt
  expires: 
  //unix timestamp representing when the token expires
}
```

The `token` is the JWT and `expires_in` is a unix timestamp representing when the token expires.

## Use your JWT

JWT works the same as an API token. To test your generated JWT, call the [list all carrier parcel templates](/api-reference/carrier-parcel-templates/list-all-carrier-parcel-templates) endpoint. Remember to replace `<JWT_TOKEN>` with the token you have generated.

```shell Use JWT request theme={null}
curl --location --request GET https://api.goshippo.com/parcel-templates  \
    --header 'Authorization: JWT <JWT_TOKEN>' \
    --header 'Content-Type: application/json'
```

```json Use JWT response theme={null}
[
  {
    "name": "FedEx® Small Box (S1)",
    "token": "FedEx_Box_Small_1",
    "carrier": "FedEx",
    "is_variable_dimensions": false,
    "length": "12.375",
    "width": "10.875",
    "height": "1.5",
    "distance_unit": "in"
  }
]
```