Today we are excited to release a new security feature across all our commercial tools. We now support JSON Web Tokens (JWT) and enforce other important security changes. These changes will make an already secure platform even more secure and is the result of nearly two years of effort, but it is worth the wait!
Implementing JWT is an all-or-nothing proposition. In other words, every single tool, our Relay, and our APIs, all needed to support JWT before we could release any of our tools. So, needless to say, it required a ton of work over the last two years.
What is JWT?
First, it is important to understand that we have supported both encryption (HTTPS) and IP filtering across all our tools and APIs for quite some time. JWT adds yet another layer of security to our platform. Now, to communicate with our Relay (APIs), an application must first acquire a security token from the Relay, then, supply this token with each API request.
To communicate with the Relay, the following process takes place:
- The application must first request a token and include with the request a shared secret key
- Once the Relay validates the secret key, a token is returned. Note tokens expire every 15 minutes
- The application makes an API request and includes the token
- The Relay validates the token and expiration date/time
- The requested information is returned
How do I get started with JWT?
The first step is to install the latest Relay on your 3CX server. The Relay will automatically create unique public and private secret keys. Then you MUST update all of your tools and provide the “public” key. You cannot have some tools using JWT and some not, because a JWT token will be required to communicate with the Relay.