Development Toolkit

Authentication & authorization

In order to build add-ons for the Clockify app, Marketplace API needs to interact with the Clockify API.
For an add-on to have access to the Clockify API, every request needs to have an X-Addon-Token header with a valid add-on token.

Your add-on token along with your API key should be kept secret.

There are two ways to obtain an add-on token:

1. Lifecycle hook: installed

The first way is to define an installed lifecycle hook in the manifest. When this set up is completed and you install an add-on in your workspace, a unique add-on token is generated.

You can obtain this token by reading authToken property of installed lifecycle hook payload. This token has admin privileges in the workspace.

For more information about lifecycle requests sent to add-ons, check out this article, Add-on lifecycle section.

2. UI components

The second way is to define a UI component in the manifest.

UI components are loaded and rendered in an iframe. Each iframe has its own URL which contains an auth_token parameter and its value is a valid add-on token.

This token has the same privileges as a user currently viewing that UI component.

Add-on token verification

Add-on token is a JWT signed with the RSA256 algorithm.

In order to verify Clockify add-on token on the add-on side, a publicKey is needed.
Public key for add-on token is: