Single Sign-On (SSO) is an authentication mechanism that allows users to access several applications with only one set of login credentials.
By enabling SSO for your Annoto widget, you become responsible for the authentication of your users: they get authenticated through your own login portal and can use Annoto services freely.
An unauthenticated user requests access to your site (post login details to your server).
Your server authenticates the user, The user gets authenticated using your own authentication and authorization process.
If the user access is granted, You create a secured JWT payload that contains information about the user, using code snippet provided by Annoto or using any other standard library.
The JWT token should be part of the login post answer (or some other query as you see fit).
Your client side JS code should call the annotoAPI.auth(token) method to authenticate the user.
(Note : Please refer to Using The API for instructions on how to get access to the
Annoto analyzes the payload, grants the user permission, and will show his details in the widget.
By default, Annoto will not save the user login information. The annotoAPI.auth(token) should be called at page refresh.
Your client side JS can use the annotoAPI.logout() method to logout the user.
What you will get from Annoto:
A unique secret that will be used to sign JWT tokens.
THE SECRET MUST BE KEPT CONFIDENTIAL ON YOUR SERVERS.
Once the user has been authenticated on your side, you must create a payload containing the required information about the user.
It should take the user information below and encode JWT token using the provided function and the SECRET. The JWT payload should contain:
issuer of the token (clientID provided by Annoto)
expiration timestamp in seconds. Indicating when the user login session expires.
unique identifier for the JWT. Equal to the unique identifier of your user.
visible user name
User email account
publicly accessible url to user photo
scope indicating permissions of the user:
audience of the token (http://annoto.net)
If email is not provided, email notifications for users won’t work.
If you prefer using your own JWT library instead of the code provided by Annoto. The JWT token MUST be signed using HS256 algorithm.
JWT’s full specification is available at https://tools.ietf.org/html/rfc7519
$issuedAt = time();
$expire = $issuedAt + 60*20; // Adding 20 minutes
"jti" => 1234,
"name" => "Hen Eytan",
"photoUrl" => "https://images.pexels.com/photos/101584/pexels-photo-101584.jpeg",
"iss" => "zRCIsImlzcyI6Imh0dHA6XC9cL3d3dy5vcGVudS",
"exp" => $expire
$key = "4e54273d5d17859d464cb9bf";
$jwt = JWT::encode($payload, $key);
Source files for JWT:encode: