My Profile
Sign Out
Tickets
Knowledge Base
Login
Articles in this section
Category / Section
  2. Working with Mobile App
  3. General

How to Authenticate Users in BoldDesk Mobile SDK

Updated:

In BoldDesk Mobile SDK, users can interact with your app in two ways: as anonymous users or authenticated users. Anonymous users have limited access, while authenticated users require a secure login process using JWT tokens. This section explains the differences and why authentication is necessary for authenticated users only.

User Types and Permissions

In BoldDesk Mobile SDK, user access is determined by their category. There are two types of users:

1. Anonymous Users

  • Can view public Knowledge Base (KB) articles.
  • Can create tickets.
  • Cannot view ticket history.

Anonymous users do not require authentication. They have limited access and are suitable for quick interactions without login.

2. Authenticated Users

  • Can access the Knowledge Base module.
  • Can submit tickets.
  • Can view all assigned tickets.
    image.png

Authenticated users require authentication using a secure JWT token. This ensures identity verification and enables full access to support features.

How Authentication Works

  1. The end user logs in to your mobile application.
  2. Your server generates a signed JWT token containing user identity details.
  3. The mobile app uses this token to log in to the BoldDesk Support SDK.
  4. The SDK sends the token to the BoldDesk server for verification.
  5. Upon validation, the user is authenticated, and the SDK grants access to support features.

The JWT access token used for the BoldDesk Mobile Support SDK expires in one hour.
Ensure your app always provides a valid and refreshed token to avoid interruptions.

JWT Token Structure

The JWT must be generated on your backend server using your SDK application’s secret key.

Example Payload:

{ 
  "email": "user@example.com",  
  "name": "Doe", 
  "not_before": 1730970000000, 
  "not_after": 1730970600000 
}
  • The difference between not_before and not_after should not exceed 10 minutes.
  • Always generate JWT on the server side using the HS256 signing algorithm.
  • Never expose your JWT secret key in the client app.

Steps to generate JWT token in Android:

You can use the following snippet to generate a JWT token in your Android app

import com.auth0.jwt.JWT
import com.auth0.jwt.algorithms.Algorithm

internal fun generateJwt(userEmail: String, secretKey: String): String {
        val currentTimeMillis = System.currentTimeMillis()
        val expiredMinutesInMillis = 10 * 60 * 1000 

        // The algorithm is created using the secret key
        val algorithm = Algorithm.HMAC256("Your SDK app secret key")

        // Build and sign the JWT token
        return JWT.create()
            .withClaim("email", "Email address")
            .withClaim("name", "User name")
            .withIssuedAt(Date(currentTimeMillis))
            .withExpiresAt(Date(currentTimeMillis + expiredMinutesInMillis))
            .sign(algorithm)
    }

Steps to generate JWT token in iOS:

You can use the following snippet to generate a JWT token in your iOS app

func generateJwt(userEmail: String, secretKey: String, name: String) throws
    -> String
{
    let currentTime = Date()
    let expirationTime = currentTime.addingTimeInterval(10 * 60) 

    let claims = MyClaims(
        email: "email address",
        name: "name",
        iat: currentTime,
        exp: expirationTime
    )

    var jwt = JWT(claims: claims)
    let signer = JWTSigner.hs256(key: Data(secretKey.utf8))
    let signedToken = try jwt.sign(using: signer)

    return signedToken
}

Frequently Asked Questions (FAQ)

1. What is the difference between anonymous and authenticated users in BoldDesk Mobile SDK?
Anonymous users have limited access—they can view public Knowledge Base articles and create tickets but cannot view ticket history. Authenticated users have full access, including viewing all assigned tickets and accessing the Knowledge Base module.

2. Do anonymous users need authentication?
No. Anonymous users do not require authentication. They can interact with basic features without logging in.

3. Why do authenticated users need JWT tokens?
JWT tokens securely verify the user’s identity and allow access to advanced features like viewing ticket history and managing support interactions.

4. How long does a JWT token remain valid?
The JWT token used for BoldDesk Mobile SDK expires in one hour. Ensure your app refreshes tokens regularly to avoid interruptions.

5. Can I generate JWT tokens on the client side?
No. JWT tokens must be generated on your backend server using your SDK application’s secret key for security reasons.

6. What algorithm should I use for JWT token signing?
Always use the HS256 signing algorithm when generating JWT tokens.

7. What happens if the JWT token expires?
If the token expires, the user will lose access to authenticated features. Your app should refresh the token before it expires to maintain uninterrupted access.

8. Can anonymous users upgrade to authenticated without restarting the app?
Yes. Once the user logs in and obtains a valid JWT token, the SDK can switch the user to authenticated mode without restarting the app.

9. What claims should be included in the JWT token?
Include essential claims like email, name, not_before, and not_after. The time difference between not_before and not_after should not exceed 10 minutes.

10. Is it safe to expose the JWT secret key in the mobile app?
No. Never expose your JWT secret key in the client app. Always keep it secure on the server side.
Attachments
Was this article useful?
Like
Dislike
Help us improve this page
Please provide feedback or comments
Comments (0)
Access denied
Access denied