Development Toolkit

Authentication & authorization

In order to build add-ons for the Clockify app, CAKE.com Marketplace API needs to interact with the Clockify API.
For an add-on to have access to the Clockify API, every request needs to have an X-Addon-Token header with a valid add-on token.

Your add-on token along with your API key should be kept secret.

There are two ways to obtain an add-on token:

1. Lifecycle hook: installed

The first way is to define an installed lifecycle hook in the manifest. When this set up is completed and you install an add-on in your workspace, a unique add-on token is generated.

You can obtain this token by reading authToken property of installed lifecycle hook payload. This token has admin privileges in the workspace.

For more information about lifecycle requests sent to add-ons, check out this article, Add-on lifecycle section.

2. UI components

The second way is to define a UI component in the manifest.

UI components are loaded and rendered in an iframe. Each iframe has its own URL which contains an auth_token parameter and its value is a valid add-on token.

This token has the same privileges as a user currently viewing that UI component.

Add-on token verification

Add-on token is a JWT signed with the RSA256 algorithm.
In order to verify Clockify add-on token on the add-on side, a publicKey is needed.

The X509 public key for add-on token is provided in PEM format:

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAubktufFNO/op+E5WBWL6
/Y9QRZGSGGCsV00FmPRl5A0mSfQu3yq2Yaq47IlN0zgFy9IUG8/JJfwiehsmbrKa
49t/xSkpG1u9w1GUyY0g4eKDUwofHKAt3IPw0St4qsWLK9mO+koUo56CGQOEpTui
5bMfmefVBBfShXTaZOtXPB349FdzSuYlU/5o3L12zVWMutNhiJCKyGfsuu2uXa9+
6uQnZBw1wO3/QEci7i4TbC+ZXqW1rCcbogSMORqHAP6qSAcTFRmrjFAEsOWiUUhZ
rLDg2QJ8VTDghFnUhYklNTJlGgfo80qEWe1NLIwvZj0h3bWRfrqZHsD/Yjh0duk6
yQIDAQAB
-----END PUBLIC KEY-----