What are secure requests?

Certain requests in hotglue to fetch tenant-specific information require additional authentication for access.

For instance, if you wish to fetch the raw OAuth credentials for a tenant to make your own requests against the source API, you will need to generate a private signing key and use that to generate a JWT token for access to those endpoints.

To access secure requests you will have to follow these steps:

  1. Generate a private signing key in the hotglue admin panel
  2. Use the private signing key in your backend to generate a JWT token for a specific tenant
  3. Forward this JWT token in your request to the hotglue API for access to low-level, tenant specific information

Generate a private signing key

To generate your private signing key, head to the environment settings page:

From here, press Generate private key under the API Keys section:

Do not share this private signing key!

For security purposes, hotglue does not store your private signing key. Keys are unique to every hotglue environment and can only be generated by an admin.

You should now store this private signing key in your backend, and use it to create a JWT token for secure requests.

Creating a JWT token

Once you have a private signing token generated, you can generate a JWT token from your backend to make secure requests to the hotglue API.

const jsonwebtoken = require('jsonwebtoken');
const currentTime = Math.floor(Date.now() / 1000);

// TODO: Change this tenant id
const tenantId = "tenant-id";

const token = jsonwebtoken.sign(
    sub: tenantId,
    iat: currentTime,
    exp: currentTime + (60 * 60), // 1 hour from now
  Buffer.from(process.env['HOTGLUE_SIGNING_KEY'], "base64").toString("utf8"),
    algorithm: "RS256",

Using the JWT token


When launching the widget you can pass the JWT token to make secure requests using the options parameter:

// Generate the JWT token in your backend using the signing key
// Sample code for this above
const token = getJwtToken();

// Launch the widget
HotGlue.open("tenant-id", {
  jwtToken: token


The JWT Token is used to access secure information using your Public API Key. If you’re trying to make sensitive requests from your backend, use your Secret API Key instead.

There are several API requests such as GET Linked Sources which allow you to pass the JWT token as a query parameter token to access sensitive data on behalf of a tenant while using your public api key.

curl --request GET \
     --url 'https://client-api.hotglue.xyz/env_id/flow_id/tenant_id/linkedSources?token=jwtToken' \
     --header 'Accept: application/json' \
     --header 'x-api-key: public_api_key'