Securing your App

Your Marketplace App communicates with Contentstack via two touchpoints:

  • Webhooks
  • UI Locations

Contentstack provides signed support for both integrations.

Securing Webhooks

If your app wants to receive any data from webhook, we encourage you to use the signed webhooks feature on the server side.

This feature allows App developers to verify whether the webhook requests are originating from Contentstack itself, and helps them build robust apps and secure any multi-tenant data stored within the Apps.

Securing Locations

If your App manages any configuration or has data communication between the UI and backend server, we strongly suggest to use the Signed Locations feature offered by the App framework.

When you enable this, all the initial page load calls will contain a JWT token that can be used to verify whether the page load request originated from Contentstack itself.

With the JWT app-token payload, you should only respond with the data relevant to the current Organization and Stack. You can build your own session and validate the Ajax call via your own session.

JWT app-token payload
  organization_uid: ""
  installation_uid: ""
  app_uid: "",
  stack_api_key: "", # available for stack apps
  user_uid: "",

Note: Please do not use the JWT app-token as session for further API calls. The token has an expiration of a few minutes. Use the payload to build your own user session.

Was this article helpful?