Authentication with Collaboration

Collaboration

Your application signs its own tokens on the server with your environment's private key, which never leaves your server.

This is a quick setup. For the full reference, see Authentication and Authenticate and authorize in Collaboration.

Sign a token

Sign tokens on your server with your environment's private key, which must never leave your server. Collaboration tokens set aud: "Documents" and carry permissions that say which documents the user can reach.

import { SignJWT, importPKCS8 } from 'jose'

const privateKey = await importPKCS8(process.env.TIPTAP_PRIVATE_KEY, 'ES256')

const jwt = await new SignJWT({
  permissions: [{ action: 'Documents:Write', resource: '*' }],
})
  .setProtectedHeader({ alg: 'ES256' })
  .setIssuer(process.env.TIPTAP_ENVIRONMENT_ID)
  .setSubject('user-identifier')
  .setAudience(['Documents'])
  .setExpirationTime('30m')
  .sign(privateKey)
// Send this token in the `token` field of the provider. Never expose your private key to a frontend.

See Signing the token for examples in other languages, and Handle token expiry for short-lived tokens and revocation.

Limit access to specific documents

To scope a token to specific documents, set the permission's resource to a document name, or use a prefix constraint to match a group:

const jwt = await new SignJWT({
  permissions: [
    {
      action: 'Documents:Write',
      resource: '*',
      constraints: { prefix: '1500c624-8f9f-496a-b196-5e5dd8ec3c25/' },
    },
  ],
})
  .setProtectedHeader({ alg: 'ES256' })
  .setIssuer(process.env.TIPTAP_ENVIRONMENT_ID)
  .setAudience(['Documents'])
  .setExpirationTime('30m')
  .sign(privateKey)

This grants access to every document under that user's prefix. For the previous allowedDocumentNames model, see Legacy authentication.