Tech & integration
JWT (JSON Web Token)
Compact, signed token format used to securely transmit identity claims between systems, the standard format Logora uses to receive a reader's identity from your authentication provider.
A JSON Web Token (JWT) is a compact, base64-URL-encoded token that carries identity claims (user ID, subscription tier, expiry, scope) signed by your authentication server. For a comment system, JWT is the format Logora expects when integrating with your reader account / paywall stack.
What Logora validates on every JWT
- Signature algorithm : RS256 / ES256 (asymmetric) by default. HS256 supported but discouraged.
- Signature itself : against your IdP’s public key (fetched once, cached).
- Issuer (
iss) : must match the IdP you registered. - Audience (
aud) : must match your Logora client ID. - Expiry (
exp) : tokens past expiry are rejected. - Optional custom claims : subscription tier, paywall level, gamification points, used to gate premium debates and surface badges.
Backchannel logout (April 2026 release)
When a reader logs out of your main site, your IdP can call Logora’s backchannel endpoint to invalidate the active session in the comment widget. No stale sessions, no awkward “I logged out but I’m still here” cases. Standards-compliant (OpenID Connect Back-Channel Logout 1.0).
Common pitfalls
- Clock skew between your IdP server and Logora’s, solved by a 30s tolerance on
expandiat. - Refresh tokens for long-lived reading sessions : 15-30 min lifespan recommended.
- Custom claims naming : prefer namespaced claims (
https://logora.com/subscription-tier) over generic names that may collide.
See SSO and OAuth 2.0 / OIDC for the broader context.