Skip to content

[DX-1489] Fix embedded-token JWT requirements on the token auth page#3457

Open
umair-ably wants to merge 3 commits into
mainfrom
fix-embedded-token-jwt-requirements
Open

[DX-1489] Fix embedded-token JWT requirements on the token auth page#3457
umair-ably wants to merge 3 commits into
mainfrom
fix-embedded-token-jwt-requirements

Conversation

@umair-ably

Copy link
Copy Markdown
Contributor

What

Two corrections to the Embedded Token JWT → Requirements list on /docs/auth/token#embedded:

  1. "The embedded token must be an Ably Token (not a JWT)" is factually wrong. The service accepts an embedded Ably JWT as well as a native Ably Token: TokenDb.get in the realtime service unwraps x-ably-token and validates either form, and the realtime test suite covers it directly (auth_external_jwt_with_ably_jwt_embedded_in_jose_header, auth_external_jwt_with_ably_jwt_embedded_in_payload, auth_external_encrypted_jwt_with_ably_jwt_embedded_in_jose_header). The "(not a JWT)" exclusion was introduced in the [FTF-468] Several docs changes to highlight token auth over API key auth, as well as more info on using JWTs #3085 rewrite — the pre-rewrite wording ("The embedded token is an Ably Token") made no such claim.

  2. The x-ably-token location bullet implied the JOSE header is only for the non-JWS case. The server checks the JOSE header first for both JWS and JWE outer tokens, with the payload claim as an additional option for unencrypted JWS only (a JWE payload is encrypted, so Ably cannot read it). As previously worded, the bullet contradicted the code examples further down the same page, which all embed the token in the header of an HS256 JWS.

Why

Reported as inaccurate by a reader; verified against the realtime service implementation and its test suite before rewording.

🤖 Generated with Claude Code

@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 07306867-96e6-4e73-b7d3-63cc6162d83d

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix-embedded-token-jwt-requirements

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@umair-ably umair-ably force-pushed the fix-embedded-token-jwt-requirements branch from 2dc6937 to 959caec Compare July 3, 2026 10:14
@umair-ably umair-ably requested a review from paddybyers July 3, 2026 10:21
@umair-ably umair-ably changed the title Fix embedded-token JWT requirements on the token auth page [DX-1489] Fix embedded-token JWT requirements on the token auth page Jul 3, 2026

@paddybyers paddybyers left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks

Comment thread src/pages/docs/auth/token/index.mdx Outdated
umair-ably and others added 3 commits July 3, 2026 12:58
The Requirements list for "Embedded Token JWT" stated the embedded token
must be an Ably Token (not a JWT). The service also accepts an Ably JWT
as the embedded token (TokenDb.get handles both, and the realtime test
suite covers ably-JWT-in-JWS-header, ably-JWT-in-payload, and
ably-JWT-in-JWE-header). The "(not a JWT)" exclusion was introduced in
the #3085 rewrite; the pre-rewrite page made no such claim.

Also rephrase the x-ably-token location bullet: the JOSE header works
for both JWS and JWE outer tokens (the page's own examples embed the
token in a JWS header); the payload claim is an additional option for
unencrypted JWS only. The previous wording implied the header was only
for the non-JWS case.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-authored-by: Paddy Byers <paddy.byers@gmail.com>
@umair-ably umair-ably force-pushed the fix-embedded-token-jwt-requirements branch from 9704757 to 1f24c57 Compare July 3, 2026 11:58
@umair-ably umair-ably requested a review from paddybyers July 3, 2026 11:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

2 participants