.png?width=200&height=89&name=CC%20logo%20blue-1%20(1).png)
Product Instant Access Links
The following article covers how to configure instant access links for products
Users can be granted access to a product without needing to log in, by clicking a secure link. This access would allow the user to view only the product specified - to access other products or features, they will need to log in.
Any actions taken will be captured in the usage statistics of the user. These tokens are designed to be used in marketing emails or product newsletters, which are generated in other systems.
🔔Note: These tokens work for briefings and reports only.
Content Catalyst uses a standard called ‘JSON Web Tokens’ (JWTs) embedded in a URL to authenticate the instant access request.
The JWT website provides a full specification of the structure of general JWTs, and examples of how to generate them in many different languages.
The structure of access tokens
JSON Web Tokens consist of three sections (the header, payload and signature) separated by dots (.). An example JWT might look like:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0OTIxMjgwMDAsImF1ZCI6IlByb2R1Y3RBY2Nlc3MiLCJzdWIiOiJ1c2VyIiwicHJvZHVjdCI6InByb2R1Y3QifQ.D2lhP8ZxoqjfIobd5t5t9jGZqzq3PV_6_Zk5xe4iM04
Header
The header designates the algorithm used to protect the JWT. We use the HMAC SHA256 algorithm so the header should be the following UTF8 JSON string, Base64Url encoded:
{"alg":"HS256","typ":"JWT"}
Payload
The payload should be a JSON object, with the following properties:
|
Property |
Description |
|---|---|
|
aud |
The purpose of this token - should always be the string “ProductAccess” (case sensitive) |
|
exp |
The expiry date/time of this token. This should be a JSON numeric value representing the number of seconds from 1970-01-01T00:00:00Z UTC until the specified UTC date/time, ignoring leap seconds. A clock skew of 3 minutes is applied, and is only checked on use of the access link (potentially allowing the user an extra 12 hours of use, from the same machine) |
|
product |
The product code of the product code to be accessed |
|
sub |
The username of the user that usage statistics should be tracked against |
An example payload would be the following UTF8 JSON string, Base64Url encoded:
{"exp":1483228800,"aud":"ProductAccess","sub":"user","product":"product"}
Signature
This should be the Base64Url encoded HMAC SHA256 of <Base64Url encoded header>.<Base64Url encoded payload>. The HMAC key can be found on the security page, in the Site customization area of the admin interface.
How to use them
The token should be embedded in a link, and sent to the user in a secure manner (e.g. an email). The format of the link is https://{your site domain}/Access?token={JWT}.
If the token is invalid or expired the user will be redirected to the login page. Otherwise, they will be redirected to the product specified in the JWT.
After the redirect the user will only be able to use the specified product. If they try to navigate to a different product or another part of the site, they will be redirected to the login page.