Skip to content

User data authorization

Jump to bottom
Alexander Boldyrev edited this page Jun 27, 2025 · 3 revisions

There are three possible options for user data authorization, which can be selected on the application profile configuration page.

Security settings

Allow all mobile SDK requests

This is the default option. When selected, all API requests the SDK makes will be authorized using the application code as an API key.

Allow only mobile SDK requests with JSON Web Tokens (JWT) authorization

When this option is selected, certain backend API calls made by the SDK will require authorization with a securely signed JWT. To implement this option, you need to provide an implementation of the MMJwtSupplier interface to the Mobile Messaging SDK, either during initialization with the builder or later using the setter method. The external user ID of the person is also required to generate the token.

Important: The supplier implementation needs to work as fast as possible to not suspend operations for a long time. The supplier delegate method will be called within an arbitrary thread.

class MMJWTProviderImpl: MMJWTProvider {
    func getJwt() -> String? {
        // Fetch and return your JWT from your backend here.
        // Return nil if no external user ID.
        return fetchJwtFromYourOwnBackend() // Implement this function in your code
    }
}

//Builder
    let mmJwtSupplierImpl = MMJwtSupplierImpl()
    MobileMessaging
        // other builder methods...
        .withJwtSupplier(mmJwtSupplierImpl)
        .build()

//Setter
    let mmJwtSupplierImpl = MMJwtSupplierImpl()
    MobileMessaging.jwtSupplier = mmJwtSupplierImpl

The interface has a single method, String getJwt(), which the SDK will call to obtain the JWT for authorizing API calls. The JWT should be generated and fetched from your backend. If there is no external user ID, the function should return null. Before making the API call, the SDK will validate the provided token for structure and expiration. If the token fails validation, no API call will be made. With the provided listener, it is possible to handle errors.

MobileMessaging.saveUser(user) { error in
    if let nsError = error as NSError? {
        if nsError.domain == MMInternalErrorDomain {
            if nsError.mm_code == "JWT_TOKEN_EXPIRED" {
                // JWT is expired: refresh token and retry
            } else if nsError.mm_code == "JWT_TOKEN_STRUCTURE_INVALID" {
                // JWT is invalid: log or check your JWT generation logic
            } else {
                // Other error descriptions, handle as appropriate
            }
        }
    }
}
expand to see Objective-C code 

[MobileMessaging saveUser:user completion:^(NSError * _Nullable error) {
    if (error != nil) {
        if ([error.domain isEqualToString:MMInternalErrorDomain]) {
            NSString *description = error.mm_code;
            if ([description isEqualToString:@"JWT_TOKEN_EXPIRED"]) {
                // JWT is expired: refresh token and retry
            } else if ([description isEqualToString:@"JWT_TOKEN_STRUCTURE_INVALID"]) {
                // JWT is invalid: log or check your JWT generation logic
            } else {
                // Other error descriptions, handle as appropriate
            }
        }
    }
}];

The required structure of the JWT and an example of how to generate it can be found in the JSON Web Token (JWT) structure and generation example article. The SDK functionalities that require JWT authorization are fetchUser, patchUser, and personalize.

Disallow all mobile SDK requests

With this option, it is only possible to modify personal information over Contact Information API.

If you have any questions or suggestions, feel free to send an email to [email protected] or create an issue.

Features and APIs

Getting started guides

FAQ

Clone this wiki locally