Authenticating users

Authenticating ensures that your users can securely access the Knock API from the client applications that they are using, without you exposing your secret API key and allowing blanket access.

Note: you only need to add the authentication here if you're integrating Knock on the client-side of your applications and leveraging feeds or preferences.

API endpoints that require auth

The following calls will require authentication to be used (when called from the client):

  • Fetching a user's notification feed
  • Marking a message as read, seen, or archived

Authentication (in development environments)

In a Knock development environment you can freely use your public key to authenticate all users and do not need to implement any other security mechanisms.

Client SDK example

React notification feed example

Please note: in production environments you will need to authenticate your users using a secure user token. This ensures that your users content is protected and cannot be read by malicious actors.

Authentication (in production environments)

Using our JWT based authentication approach means using a shared secret to sign a new JWT on your backend. This means you can generate the authentication token out-of-band and without an additional network request.

1. Generate the signing key

You can find the signing key in the Knock dashboard under the "developers" section. Save the private key shown to you here. Please note: you won't be shown this key again, so you'll need to regenerate it if you lose access.

2. Sign the JWT

Within your backend application you'll need to sign the JWT and make it available to your front-end client. Usually you'll do this by passing it down as a serialized property on the user, or passing via a cookie.

At a minimum the JWT to be signed must have:

To sign your JWT as middleware in a NodeJS express like app:

3. Send the JWT to the client

In your client application you can now use the JWT to authenticate with Knock:

Client SDK example

React notification feed example

Avoiding authentication

You can avoid authentication altogether by proxying requests to Knock via your backend, although we don't recommend this approach as it will mean adding more latency for your users.