User Authorization
Instructions for tenant user auth
User Authentication
A key advantage of Latenode integration is its authentication simplicity. Users sign in through your application, receiving a special token to access Latenode functions. The system uses JSON Web Token (JWT), secured by a unique private key from Latenode. The JWT contains user data from your system. After Latenode platform verifies the JWT signature, the user receives client privileges and can work with integrations within their account.
Signature Private Key
Before you can generate a JWT, you will need a valid signature key from Latenode. Contact support to obtain the key.
Keep this key in a secure location - it will be used to verify user authentication in your application.
Creating and Signing JWT
Now that you have the signature key, you can create and sign a JSON Web Token (JWT). To do this, you can use one of the libraries suitable for your backend.
The JWT that you generate for the user must have the following properties:
- Header must specify the encryption algorithm and look something like this::
- RS256, RS384, RS512
- ES256, ES256K, ES384, ES512
- PS256, PS384, PS512
{
"alg": "RS512",
"typ": "JWT"
}Supported JWT algorithms:
- Private signature key issued by Latenode
- Payload with the following data:
tenant_id- Required numeric field. Provided by the Latenode platform.user_id- Required field. ID of the user in your organization. A unique string value that uniquely identifies the user.plan_id- Optional numeric field. ID of the tariff plan that will be set for the user if this is the user's first authorization on the platform. This field does not need to be filled in afterwards.no_personal_space— Optional boolean field. Iftrue, the user will be created without a personal space.grant_access— Optional array that allows assigning the user to one or more existing spaces with specified roles. Required ifno_personal_spaceis set totrue.
JWT Payload example
{
"tenant_id": 1,
"user_id": "1",
"plan_id": 35,
"no_personal_space": true,
"grant_access": [{
"space_id": 2,
"role_id": 2
}]
}In this example:
- The user belongs to tenant 1.
- The user will be created without a personal space.
- Since
no_personal_spaceistrue, thegrant_accessfield is required.
- The user will receive access to the space with ID 2 and be assigned the role with ID 2.
Available Roles
Latenode provides a role-based access model for users within each space.
Each role defines what actions a user can perform.
Role | Description |
Admin ( role_id: 1) | Has full access to the space and all its configurations. Can create, edit, and delete scenarios, manage users, and change space settings. Only one admin can exist per space. Created automatically when a new space is created. |
Manager ( role_id: 2) | Has almost the same permissions as the Admin but cannot add or remove users from the space. |
No-code ( role_id: 3) | Can create, edit, delete, activate/deactivate, and move scenarios between folders. Does not have access to user or space management. |
Creating a JWT token is sufficient to register or authorize a user on the Latenode platform. Use this token in the configure sdk method. If the user is new, they will be automatically registered and authorized.
⚠️ Known Browser Limitations (Safari & Incognito Mode)
When using the standard authentication flow inside an iframe, some browsers — notably Safari and incognito/private mode in Chrome — may block third-party cookies. Since our authorization relies on cookies inside an iframe, this may lead to failed login attempts.
Recommendations:
- If you're using Safari, you can:
- Add the iframe parent domain to the list of trusted sites
- Or disable “Prevent cross-site tracking” in Safari settings
- If you're using incognito mode, please use a regular browser session instead — incognito mode disables third-party cookie storage by default.