SaaSquatch Help Center

Signed Requests is an optional but highly recommended feature that provides a layer of security for your program by allowing the SaaSquatch system to validate the data sent to us and confirm it originated from you.

Management of this feature is done through the Tenant Security Settings section of the Install page under Settings.

A Signed Request is a chunk of data sent to the SaaSquatch system that includes a JWT or API key which we use to verify that the data originated from a trusted source. This article will focus on use of JWTs to send authorized information to SaaSquatch via squatch.js. To read about authentication for API, see our guide here.

JWTs provide an extra layer of security when using squatch.js as they are created using your API key, which is something that should only be known to yourself and SaaSquatch. This includes creating and updating users, events, and referrals.

While it is possible to turn off Signed Requests, doing so means that data sent to us that includes your tenant alias sent by any party will be able to easily make unauthorized changes to your program.

Secure Mode Settings

The Secure Mode settings allow you to determine which, if any, of the squatch.js Methods and some of the Open Endpoint API Methods are required to be signed using a JWT or an API key when connecting to the SaaSquatch system.

The configuration settings for Secure Mode can be found on the Install page under the Settings header in the SaaSquatch Admin Portal. The available settings for Secure Mode include Enabled, Disabled, and Custom. By default your program is set to Custom with all options Enabled except for Create/Update Anonymous User and Get User Widget.

Secure Mode Enabled

With Secure Mode enabled, all calls made using our squatch.js library and Open Endpoint API are required to be signed with a JWT or an API key to verify the contents of the request, regardless of whether or not authentication is required for the method.

Secure Mode Disabled

Turning Secure Mode off allows you to make any requests to the SaaSquatch System through the squatch.js library and some requests through Open Endpoint API calls without them needing to be signed with a JWT or an API key.

We highly recommend using Signed Requests to reduce your referral program's exposure to a man-in-the-middle security vulnerability. With Signed Requests turned off more attention should be paid to your incoming referrals. We recommend keeping a close watch on incoming referrals and familiarize yourself with how our referral Security Management System functions.

Custom Secure Mode Settings

The Custom configurations for Secure Mode allow for granular control over which squatch.js methods and some Open Endpoint API methods are required to be signed with a JWT/API key.

Custom Secure Mode Settings
Granular Settings
Option Auth Required for API even if Disabled? Description
Create Account/User Yes Enable/Disable the ability to create or update Accounts in the SaaSquatch system without use of Signed Requests
Lookup User Yes Enable/Disable the ability to lookup users in your program(s) without use of Signed Requests
Apply Referral Code Yes Enable/Disable the ability to apply a referral code to a user's account without use of Signed Requests
List Referrals Yes Enable/Disable the ability to list all of the referrals for a given user without use of Signed Requests
Create/Update User Yes Enable/Disable the ability to create or update a user without use of Signed Requests
Create/Update Anonymous User No Enable/Disable the ability to Display the Unregistered User Widget without use of Signed Requests
Get User Widget Yes Enable/Disable the ability to display the widget for the user without use of Signed Requests
Get Share Links Yes Enable/Disable the ability to get a user's sharelinks without use of Signed Requests
Track User Events Yes Enable/Disable the ability to sending a user event without the use of a Signed Request

How do I use Signed Requests with squatch.js?

If you have activated secure mode, you will need to generate a JWT using you tenant's API key and include it in the squatch.js being made.

You can learn more about building JWTs and including them with your calls by reviewing our JSON Web Tokens Page.

If you have any questions or run into any issues with using signed requests, please reach out to our Success Team for further assistance.