Jupid Partner Docs

Authentication

How partner identity is mapped into a secure embedded Jupid session.

Jupid Embed uses partner-signed JWTs. The partner authenticates the user in its own product, then its server creates a short-lived token for Jupid.

The shared secret must stay on the partner server. It must never be exposed in frontend code, browser bundles, mobile clients, or public repositories.

Required claims

The JWT must be signed with HS256 and include this protected header:

{
  "alg": "HS256",
  "typ": "JWT"
}
{
  "iss": "your-partner-id",
  "aud": "jupid-embed",
  "sub": "partner-user-123",
  "email": "user@example.com",
  "name": "Jane Founder",
  "payload": {
    "company_name": "Acme Studio"
  },
  "iat": 1779360000,
  "exp": 1779360300,
  "jti": "one-token-id"
}

Claim rules

ClaimRule
issPartner ID provided by Jupid.
audMust be jupid-embed.
subDurable partner user ID. This is the primary mapping key.
emailUsed when the partner-user mapping is first created. Existing mappings keep their original Jupid auth email.
nameDisplay name stored on the Jupid user profile.
payloadPartner metadata stored by Jupid.
iatIssued-at timestamp in seconds.
expExpiration timestamp in seconds. Use roughly 5 minutes.
jtiUnique token ID for traceability.

Jupid maps partner users by (partner_id, external_user_id), where external_user_id comes from sub.

Session flow

  1. The partner page loads /embed.js from the Jupid app URL for the current environment.
  2. The partner page fetches a signed token from its own backend.
  3. The SDK creates an iframe at JUPID_EMBED_APP_URL/embed/:partnerId.
  4. The iframe asks the parent window for the token.
  5. The SDK sends the token to the iframe with postMessage.
  6. Jupid verifies the origin, signature, header, issuer, audience, and expiration.
  7. Jupid finds or creates the mapped Jupid user.
  8. Jupid creates a browser session and redirects the iframe.

Origin allowlist

Jupid checks the parent page origin before accepting a token. Send Jupid every local, staging, and production origin that will host the embed in its matching environment.

Example:

http://localhost:3000
https://staging.partner.com
https://app.partner.com

Jupid also configures iframe frame-ancestor policy for those origins.

Quickstart

The shortest path to mount Jupid inside a partner application.

Browser SDK

Script-tag SDK API for mounting and controlling the embedded workspace.

On this page

Required claimsClaim rulesSession flowOrigin allowlist