Authentication

JWT Token Structure

PAR Ordering dispatch system sends JWT tokens in the Authorization header for all API requests:

Authorization: Bearer {jwt_token}

Token Validation

Token Claims:

• sub: Request ID (OrderUid or LocationId)
• partner_id: Organization ID
• jti: Unique token identifier (GUID)
• iat: Issued at timestamp (Unix seconds)

Token Properties:

• Issuer: POSNext_Master
• Audience: POSNext_Partner
• Algorithm: HMAC SHA256
• Signing Key: Your SharedId
• Expiration: 60 minutes from issue time

Validation Steps

1. Extract token from Authorization: Bearer {token} header

2. Validate signature using SharedId as the secret key

3. Verify issuer is POSNext_Master

4. Verify audience is POSNext_Partner

5. Check expiration time

6. Extract partner_id (OrganizationId) from the token and validate it matches the expected PAR-provided OrganizationId for your system

Example Validation (Pseudocode):

var tokenHandler = new JwtSecurityTokenHandler();
var validationParameters = new TokenValidationParameters
{
    ValidateIssuerSigningKey = true,
    IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(sharedId)),
    ValidateIssuer = true,
    ValidIssuer = "POSNext_Master",
    ValidateAudience = true,
    ValidAudience = "POSNext_Partner",
    ValidateLifetime = true,
    ClockSkew = TimeSpan.Zero
};
 
var principal = tokenHandler.ValidateToken(token, validationParameters, out var validatedToken);