From 8f8d9c1e4431f426a1b0011869f3b924335f5c7d Mon Sep 17 00:00:00 2001 From: umair Date: Fri, 3 Jul 2026 11:10:33 +0100 Subject: [PATCH 1/3] fix: correct embedded-token JWT requirements on auth/token page The Requirements list for "Embedded Token JWT" stated the embedded token must be an Ably Token (not a JWT). The service also accepts an Ably JWT as the embedded token (TokenDb.get handles both, and the realtime test suite covers ably-JWT-in-JWS-header, ably-JWT-in-payload, and ably-JWT-in-JWE-header). The "(not a JWT)" exclusion was introduced in the #3085 rewrite; the pre-rewrite page made no such claim. Also rephrase the x-ably-token location bullet: the JOSE header works for both JWS and JWE outer tokens (the page's own examples embed the token in a JWS header); the payload claim is an additional option for unencrypted JWS only. The previous wording implied the header was only for the non-JWS case. Co-Authored-By: Claude Fable 5 --- src/pages/docs/auth/token/index.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/pages/docs/auth/token/index.mdx b/src/pages/docs/auth/token/index.mdx index cc6b68251f..2f5a5a3641 100644 --- a/src/pages/docs/auth/token/index.mdx +++ b/src/pages/docs/auth/token/index.mdx @@ -245,8 +245,8 @@ If you have an existing [JWT](https://jwt.io/) authentication system, you can em ### Requirements -* The embedded token must be an Ably Token (not a JWT). -* The embedded token is included under the `x-ably-token` key in the [JOSE Header](https://tools.ietf.org/html/rfc7519), or if using JWS, in the payload claims. +* The embedded token can be an Ably Token or an Ably JWT. +* Include the token under the `x-ably-token` key in the [JOSE Header](https://tools.ietf.org/html/rfc7519). If the outer JWT is an unencrypted JWS, you can alternatively include it as an `x-ably-token` claim in the payload. * The expiry time of the embedded token must not be earlier than the outer JWT's expiry time (`exp` claim). Ably will reject any JWT if it is unencrypted and its `exp` claim is later than the expiry of the enclosed token. ### When to use From 457b112f766d5966585d6ef05cb991c2dfd45e55 Mon Sep 17 00:00:00 2001 From: umair Date: Fri, 3 Jul 2026 11:18:53 +0100 Subject: [PATCH 2/3] Link "Ably JWT" to its definition in the API reference Co-Authored-By: Claude Fable 5 --- src/pages/docs/auth/token/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/docs/auth/token/index.mdx b/src/pages/docs/auth/token/index.mdx index 2f5a5a3641..6c522d0736 100644 --- a/src/pages/docs/auth/token/index.mdx +++ b/src/pages/docs/auth/token/index.mdx @@ -245,7 +245,7 @@ If you have an existing [JWT](https://jwt.io/) authentication system, you can em ### Requirements -* The embedded token can be an Ably Token or an Ably JWT. +* The embedded token can be an Ably Token or an [Ably JWT](/docs/api/rest-sdk/authentication#ably-jwt). * Include the token under the `x-ably-token` key in the [JOSE Header](https://tools.ietf.org/html/rfc7519). If the outer JWT is an unencrypted JWS, you can alternatively include it as an `x-ably-token` claim in the payload. * The expiry time of the embedded token must not be earlier than the outer JWT's expiry time (`exp` claim). Ably will reject any JWT if it is unencrypted and its `exp` claim is later than the expiry of the enclosed token. From 1f24c57f68b3374e6437a690e42236511db45831 Mon Sep 17 00:00:00 2001 From: Umair <157486912+umair-ably@users.noreply.github.com> Date: Fri, 3 Jul 2026 12:57:50 +0100 Subject: [PATCH 3/3] Update src/pages/docs/auth/token/index.mdx Co-authored-by: Paddy Byers --- src/pages/docs/auth/token/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/docs/auth/token/index.mdx b/src/pages/docs/auth/token/index.mdx index 6c522d0736..5cdb2c7243 100644 --- a/src/pages/docs/auth/token/index.mdx +++ b/src/pages/docs/auth/token/index.mdx @@ -245,7 +245,7 @@ If you have an existing [JWT](https://jwt.io/) authentication system, you can em ### Requirements -* The embedded token can be an Ably Token or an [Ably JWT](/docs/api/rest-sdk/authentication#ably-jwt). +* The embedded token can be an [Ably JWT](/docs/api/rest-sdk/authentication#ably-jwt) or an Ably Token. * Include the token under the `x-ably-token` key in the [JOSE Header](https://tools.ietf.org/html/rfc7519). If the outer JWT is an unencrypted JWS, you can alternatively include it as an `x-ably-token` claim in the payload. * The expiry time of the embedded token must not be earlier than the outer JWT's expiry time (`exp` claim). Ably will reject any JWT if it is unencrypted and its `exp` claim is later than the expiry of the enclosed token.