Signed Requests for Referral Programs
JWTs can be used to send authorized information to SaaSquatch by impact.com via UTT or API. Learn more about building JWTs and including them with your calls on our JSON Web Tokens doc.
About signed requests
A signed request is a chunk of data that includes a JWT or API key. We use signed requests to verify that data sent to us comes from a trusted source. If signed requests aren’t used and we receive data that includes your tenant alias, then it’s possible for this data to make unauthorized or unintended changes to your program.
JWTs provide an extra layer of security when using UTT for referral programs because they are created with your private API key. You can use signed requests when creating or updating participants, events, and referrals.
Manage signed request settings
Your Secure Mode settings determine which UTT and Open Endpoint API methods are required to be signed with a JWT or API key. To manage them:
- Sign in to the Admin Portal, then navigate to Settings → Security
- Find the Security Settings section.
Secure Mode can be set to Enabled, Disabled or Custom. By default, your Secure Mode setting is Custom, with all options enabled except for Get User Widget.
Important:
We highly recommend using signed requests to reduce your referral program's exposure to a man-in-the-middle security vulnerability. If signed requests are disabled, then more attention should be paid to your incoming referrals.
Secure Mode enabled
With Secure Mode enabled, all calls are required to be signed with a JWT or an API key to verify the contents of the request. This requirement applies regardless of whether authentication is needed for the method.
Secure Mode disabled
Disabling Secure Mode allows you to send requests to SaaSquatch by impact.com without a JWT or API key. You’ll be able to make any requests through the UTT library and some requests through Open Endpoint API calls.
Custom Secure Mode
By default, Secure Mode is set to Custom. Custom settings allow for granular control of the methods that must be sent with a JWT or API key. Note that some API calls may still be required to be sent with authentication, even if disabled is selected. See our API documentation for details.
| Option | Description |
|---|---|
| Create Account/User | Enable/Disable the ability to create or update accounts in the SaaSquatch by impact.com system without use of signed requests. |
| Lookup User |
Enable or disable the ability to lookup users in your program(s) without use of signed requests. |
| Apply Referral Code | Enable or disable the ability to apply a referral code to a user's account without use of signed requests. |
| List Referrals | Enable or disable the ability to list all of the referrals for a given user without use of signed requests. |
| Create/Update User | Enable or disable the ability to create or update a participant without use of signed requests. |
| Get User Widget | Enable or disable the ability to display the widget for the participant without use of signed requests. |
| Get Share Links | Enable or disable the ability to get a participant's share links without use of signed requests. |
Updated over 1 year ago
