Skip to content

Q&A: Authentication for API and WebSocket Connections

Question

How is authentication handled for API and WebSocket connections?

Tech Lead's Answer

All API and WebSocket connections require JWT-based authentication. Tokens are issued by our identity provider and validated at the API Gateway and WebSocket entry points. Token expiry and refresh are managed by the partner.

API keys and secret keys are generated exclusively for each partner. The partner must use their API and secret key to sign the JWT token for the end user. This token is then validated by the Sprinklr service to ensure authenticity and integrity.

Recommendation

Implement short-lived tokens with automatic refresh, enforce token validation at all entry points, and monitor for token misuse.

Risk

If token validation is bypassed or tokens are leaked, unauthorized access to sensitive APIs or chat sessions is possible.

Mitigation

  • Enforce strict validation at API Gateway and WebSocket services.
  • Use HTTPS everywhere.
  • Rotate signing keys regularly.
  • Monitor for suspicious authentication attempts.

Incident Response Plan

  • Immediately revoke compromised tokens.
  • Rotate signing keys.
  • Investigate access logs for unauthorized activity.
  • Notify affected users and partners as per incident response policy.