SaaSquatch Help Center

Signed Requests provide a layer of security for the squatch.js javascript library to validate that the data we receive originated from your servers.

Whether Signed Requests are required can be configured using the Secure Mode settings.

Secure Mode Settings

The Secure Mode settings determine which, if any, of the squatch.js Methods are required to be signed using a JWT when connecting to the SaaSquatch system. The configuration settings for Secure Mode can be found on the Install page in the SaaSquatch Admin Portal.

The available settings for Secure Mode include Enabled, Disabled, and Custom.

Secure Mode Enabled

Secure Mode Enabled

With Secure Mode enabled, calls made using our squatch.js library are required to be signed with a JWT to verify the contents of the request.

Secure Mode Disabled

Turning Secure Mode off allows you to make request to the SaaSquatch System through the squatch.js library without them needing to be signed with a JWT.

We highly recommend using Signed Requests to reduce your referral program's exposure to a man-in-the-middle security vulnerability. With Signed Requests turned off more attention should be paid to your incoming referrals. We recommend keeping a close watch on incoming referrals and familiarize yourself with how our referral Security Management System functions.

Custom Secure Mode Settings

The Custom configuration for Secure Mode allow for granular control over which squatch.js methods are required to be signed with a JWT.

Custom Secure Mode

Notable Settings
Custom Secure Mode Option Description
Create/Update User Enable/Disable the ability to create or update Users in the SaaSuqatch system without including a JWT
Create/Update Anonymous User Enable/Disable the ability to Display the Unregistered User Widget without including a JWT

When to Use Signed Requests

Certain referral program functionality is limited based on the type of referral program you have and the state of the Signed Requests settings.

The following charts outline the security requirements for different program types and Signed Request settings.

API Programs

For referral programs configured as "API-only":

Signed Requests ON Signed Requests OFF
payment_provider_id included Checksum/JWT Required No Checksum/JWT
payment_provider_id null Checksum/JWT Required No Checksum/JWT

Payment Provider Programs

For referral programs configured for one of our Payment Provider Integrations:

Signed Requests ON Signed Requests OFF
payment_provider_id included Checksum/JWT Required No Checksum/JWT
payment_provider_id null Checksum/JWT Required Checksum/JWT Required

How do I use signed requests?

A signed request uses either a cryptographic signature (checksum) or a JSON Web Token (JWT).

To use signed requests, your server must generate a JWT or checksum using your tenant's API key, and pass that to the squatch.js init function.

JWT

The JWT will be used to sign the data that you plan to submit to Referral SaaSquatch.

Building the JWT

The JWT payload is built using the JSON object of the squatch.js init parameters:

Note: Make sure to ignore client-only parameters like mode.

{
  "tenant_alias": "test_aaaexampleaaa",
  "account_id": "a5678",
  "payment_provider_id": null,
  "user_id": "u1234",
  "email": "joe.tester@example.com",
  "first_name": "Joe",
  "last_name": "Tester",
}

The process for building the JWT is outlined on our JSON Web Tokens page.

Checksum

Deprecated