Skip to main content
Quick Summary: SkillsDB uses Private-Key JWT authentication — you generate a key pair, register the public key with SkillsDB, and sign a short-lived JWT with your private key on every request.
We support Private-Key JWT (Client-Signed) Authentication, where the client - you - generates its own asymmetric key-pair, registers the public key + signature algorithm with our platform once, and then signs a short-lived JSON Web Token (JWT) with the private key on every request. Our API authenticates the request by verifying the JWT’s signature against the stored public key—no shared secret ever leaves your system. Here is the step by step process that will be followed

Provide SkillsDB the Public Key

The client organization will need to provide the following to SkillsDB:
  1. Public Key: This needs to be provided most probably in PEM Format. ----BEGIN PUBLIC KEY----- MIIBIjANBg…. -----END PUBLIC KEY-----
  2. Signature Algorithm Name: The name of the algorithm used to sign the JWTs such as RS256, HS256

SkillsDB Provides Your Company ID

The JWT payload includes a field called company_id, which must be acquired from SkillsDB. This is a unique identifier that identifies your company and is a must in the JWT payload.

JWT Payload Expected Format

SkillsDB expects the following attributes in the payload of the JWT: 
{
  "external_system_email": "maira@starship.com",
  "company_id": 1,
  "exp": 1742265057
}
The fields above have the following purpose:
  1. external_system_email : String The email address of the user making this request. The authorization depends upon the permissions that are granted to this user in the system.
  2. company_id: Integer This is the company ID that uniquely identifies your company in the SkillsDB system.
  3. exp: Integer Expiry date in epoch format until which this JWT is valid.

Procedure

For every request, the external client system needs to call every GraphQL query and mutation using the Authorization header in the following format:
  1. Name: Authorization
  2. Value: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9
SkillsDB, based on the JWT and the user that corresponds to it, will proceed ahead with the request and perform the operation or return an error depending on the outcome. If you decide to rotate the key, SkillsDB will need to be provided with the new public key and the signature algorithm used. Otherwise your requests signed with the new private key will not work.

Need Help?

If you run into any issues or have questions, reach out to your organization’s SkillsDB administrator or contact SkillsDB Support.