Skip to main content

Hi everyone, I’m Elvin Torres-Alicea from the Docebo Support team and I would like to share this informational guide on how to obtain an access token using a JWT Bearer Grant Type Via Postman

 

The guide will assume that you already have postman installed on your computer and have the API and SSO app is installed on your LMS platform.

 

More information on how to get an authentication token on the following KB.

https://help.docebo.com/hc/en-us/articles/360020082060-APIs-Authentication

 

Downloading postman:

https://www.postman.com/downloads/

 

Please see the attachment’s section below to download the document.

 

More Knowledge base articles for API:

https://help.docebo.com/hc/en-us/articles/360020082040-API-General-Information

 

Feedback/Questions

We’d love to hear your thoughts on this guide and if it was helpful for you. Please share any feedback and/or questions below.

Nice, I typically use one of the authentication methods for security and have it pass down the collection, but super useful to know!


This is a really useful guide.  I have spent all morning trying to get JWT working in Postman, so that I can take the logic over to PowerBI  because reporting in the front end is extremely difficult.  This guide detailed every step to complete the task.

That said, I would like a reference that points to how the Public Key works and relates to the other pieces of the solution.  Some other generic JWT resources online didn’t detail that step, so I’d really like to understand what is going on.


@will.murray -- In the scenario of Docebo API Authentication, here’s how I interpreted it:

  • In the initial No-Auth request to the token URL, you include your oAuth2 client ID and secret as form-encoded values. This is basically like authenticating to use the API by giving your app (Postman, etc.) credentials to connect to the API.
  • In the JWT assertion, you include your Client ID and UserName (and expiry information) as part of the token.   This ties your oAuth app to your User ID → basically allowing Docebo’s API to associate your API connection with an *authorization* (i.e. what you’re allowed to do when you connect, as in do you have admin rights).
  • The key pair allows you to encrypt the JWT token.  This helps prevent a malicious attack against the token from changing the docebo username (allowing an attacker to change the username in the token to gain more privileges).  Since you encrypt the payload with your private key, Docebo uses the Public Key to decrypt the JWT assertion to get your payload so it knows who if you’re authorized to make the calls.

Hope that makes sense.


Reply