Skip to main content

JSON Web Token (JWT) format

API: Drive

This doc covers the Drive API. If you're using the Drive (classic) API, see the reference guide for Drive (classic) JWTs.

JSON Web Tokens (JWTs) are a token format for authentication used to communicate with DoorDash APIs. They allows two parties to communicate securely by signing the information. JWTs allow users to establish trust with the service without ever having to send a secret over the wire and creation of JWTs has language support in all common programming languages

Using a JWT to authenticate with the API

In order to authenticate with the API, provide the JWT as a Bearer token in the Authentication header

Authorization: Bearer [JWT]

Anatomy of a JWT​

JWTs consist of three parts separated by periods which are:

  • Header
  • Payload
  • Signature

The results is a token that looks like aaa.bbb.ccc

The header specifies the algorithm used to sign the token - HMAC SHA 265 (HS265) and the DoorDash JWT version (v1)

{
"alg": "HS256",
"typ": "JWT",
"dd-ver": "DD-JWT-V1"
}

The header is Base64url encoded and makes the first part of the JWT.

Payload​

The content of the token as a json object. This content can be trusted by the recipient.

Payload format

{
"aud": "doordash",
"iss": DEVELOPER ID,
"kid": KEY ID,
"iat": ISSUED AT,
"exp": EXPIRATION
}

aud - Audience. Always set to "doordash".

iss - Issuer. Set to the Developer ID (UUID format).

kid - Key ID. Set to the Key ID (UUID format) that was used to sign the JWT.

iat - Issued At. When the token was created. Formatted as seconds from the epoch. iat cannot be in the future.

exp - Expiration. When the token expires. Formatted as seconds from the epoch. exp has a maximum value of 30 minutes (1800 seconds) beyond the issued at time.

Example

{
"aud": "doordash",
"iss": "582e4f20-0f48-4bc2-99c2-e094675e2919",
"kid": "585698aa-2aa6-4bb4-8b3f-dd9d3f47dc28",
"iat": 1636463841,
"exp": 1636465641
}

The payload is Base64url encoded and makes the second part of the JWT.

Signature​

The signature is used to verify the content's authenticity. Only someone with the signing secret is able to produce the correct signature. The signature is computed through the HMAC SHA256 (HS256) algorithm.

The signature is Base64url encoded and makes the third part of the JWT.

Protecting your secret​

Treat you signing secret like a password. Put your secret into a secure store or vault to protect it from theft and misuse.