Authentication between end users and Flatfile
Flatfile customers can sign the session JWT from their server using a private key. This secures the session and prevents anyone without the private key from authorizing import control for the end user. An extra layer of verification can be added by signing the environment variables on a Portal 3.0 with a private key that is only known to you. This removes Flatfile as a possible vector.
Authentication between Flatfile customers and Flatfile
Flatfile customers can share a private key with Flatfile through the environment variables of the Webhook (that can be cycled regularly) used for signing user sessions (see above) and webhook payloads. This allows Flatfile customers to trust payloads being sent to a webhook as coming from Flatfile. If a Flatfile customer has included a private key known only to them in the environment variables, they can verify that the validation request is authorized and that not even Flatfile could have tampered with it.
By adding a private key to your session's environment variables, you are able to secure authentication between you and your users without adding Flatfile as a vector that would require further security considerations. With this approach, you do not need to expose a user token that would grant Flatfile access to any API endpoints on behalf of the user.
To understand how to set session environment variables, please see our developer documentation.
Please sign in to leave a comment.