Security & authentication

Learn more about how to secure your client-side applications as they integrate with Knock.

Authentication ensures your users can securely access the Knock API from your client applications, without you exposing your secret API key and allowing blanket access.

Note: This integration guide references examples from our client-side JS SDK. You only need to add the authentication outlined in this guide if you're integrating Knock on the client-side of your applications to use the Knock in-app feed or the Knock preferences model.

API endpoints that require auth

The following calls require authentication (when called from the client):

  • Fetching a user's notification feed
  • Marking a message as read, seen, or archived
  • Getting or setting a users preferences

Authentication (in development environments)

In a Knock development environment, you can use your public key to authenticate all users. You do not need to implement any other security mechanisms.

Client SDK example

React notification feed example

Note: in production environments you will need to authenticate your users using a secure user token. This ensures that your user's content is protected and cannot be read by malicious actors.

Authentication (in production environments)

Using our JWT-based authentication approach means using a shared secret to sign a new JWT on your backend. This means you can generate the authentication token out-of-band without an additional network request.

1. Generate the signing key

You can find the signing key in the Knock dashboard under the "Developers" page. Save the private key shown to you here. Note: you won't be shown this key again, so you'll need to regenerate it if you lose access.

2. Sign the JWT

Within your backend application, you'll need to sign the JWT and make it available to your front-end client. Usually, you'll do this by passing it down as a serialized property on the user, or passing in a cookie.

At a minimum the JWT to be signed must have:

To sign your JWT as middleware in a NodeJS express like app:

3. Send the JWT to the client

In your client application you can now use the JWT to authenticate with Knock:

Client SDK example

React notification feed example

Avoiding authentication

You can avoid authentication altogether by proxying requests to Knock via your backend, although we don't recommend this approach as it will add more latency for your users.