App Connect
Integrate custom applications with Navixy authentication
Navixy App Connect is an authentication gateway that enables you to build custom applications integrating with Navixy without implementing your own user management system. Users authenticate once through their Navixy account, and your application receives secure database access credentials automatically.
The middleware acts as an authentication proxy that:
Authenticates users via their
session_keyFetches database credentials from the master database
Calls your application's auth endpoint with user info and database URLs
Proxies all subsequent requests to your application
Common use cases:
Custom dashboards for IoT data visualization
Analytics tools processing telemetry data
Business system integrations with Navixy data
Dashboard Studio uses this authentication approach. You can integrate any custom application the same way.
Integration prerequisites
Your application must meet these technical requirements to integrate with Navixy App Connect:
API server: Your application must have a publicly accessible API server that can receive HTTP POST requests from the middleware and respond with JSON authentication responses. The Authentication endpoint section describes the specific endpoint you must implement. For testing, you can use cloud hosting platforms to quickly deploy a publicly accessible test server. Use production-grade hosting for live applications.
JWT token generation: Your application must be able to generate JWT tokens with required fields (
userId,email,role,iat,exp) using HS256 or RS256 algorithms. You must also generate a signing secret (a random string of at least 32 characters) to sign these tokens. The JWT Token Requirements section describes the token structure and validation rules.Database connectivity: Your application must include a PostgreSQL client library to connect to Navixy databases using connection strings provided during authentication. The Using Database Connection Strings section provides connection examples and best practices.
How application registration works
Navixy App Connect does not require separate application registration. Your application integrates directly with existing Navixy user accounts through the authentication middleware layer.
The connection between your application and Navixy is managed through the User applications functionality. When a user accesses your application:
The middleware validates the user's session
The middleware retrieves database credentials for that user
The middleware calls your
/api/auth/loginendpoint with user information and database URLsYour application responds with a JWT token
The user can now interact with your application
You do not need to register your application URL, provide callback endpoints, or configure webhook addresses. The middleware handles all communication between Navixy and your application automatically.
Watch this video to get a quick and visual walkthrough of authenticating a 3rd-party app with Navixy session using App Connect:
Development and testing workflow
Local development
You can develop and test most of your application locally:
Implement the auth endpoint (
POST /api/auth/login) on your local serverTest token generation by calling your endpoint directly with sample payloads
Test database connectivity using connection strings in the format provided by the middleware
Test API routes by generating tokens and making authenticated requests
See the Complete Integration Example section for step-by-step implementation guidance with working code.
Testing API connectivity
To test the complete authentication flow including middleware communication, deploy your API server to a publicly accessible endpoint. Hosting services provide free tiers suitable for testing:
Deploy your application to the selected platform
Configure your application through User applications functionality
Access your application through Navixy to trigger the authentication flow
Verify the middleware successfully calls your
/api/auth/loginendpointTest authenticated API requests with the returned JWT token
Once API connectivity is verified, you can continue development locally while using the deployed endpoint for integration testing.
There is no dedicated test environment or sandbox. Test your integration using your development Navixy account and a test deployment of your application.
Configuration
Your application requires the following environment variables:
JWT_SECRET (Required)
Purpose: Secret key for signing and verifying JWT tokens
Format: String, minimum 32 characters recommended
Example:
your-secret-key-at-least-32-characters-long
DASHBOARD_BASIC_AUTH (Optional)
Purpose: Credentials for Basic Authentication on static assets. Only needed if your application serves static assets (HTML, CSS, JS)
Format:
username:passwordExample:
admin:secure_password_here
Authentication endpoint
To complete the authentication flow, your application must implement the following endpoint that receives authentication requests from the middleware.
POST /api/auth/login
Request
Request Body:
email
string
User's email address from the session
iotDbUrl
string
PostgreSQL connection string for IoT database (role ending with user)
userDbUrl
string
PostgreSQL connection string for user database (role ending with _dashboard_studio)
role
string
User role (default: admin, configurable via DEFAULT_ROLE env)
Response
Success Response (200 OK):
success
boolean
Must be true for successful authentication
user.id
string
Unique user identifier (UUID recommended)
user.email
string
User's email address
user.role
string
User's role
token
string
JWT token for subsequent API requests
Error Response (4xx/5xx):
JWT Token Requirements
JWT (JSON Web Token) is a compact, URL-safe token format that consists of three parts separated by dots:
Payload: Contains the claims (user data like
userId,email,role)Header and Signature: The header specifies the signing algorithm (HS256 or RS256), and the signature ensures the token hasn't been tampered with using your signing secret
Your application generates these tokens during authentication, and they are used to authorize subsequent API requests.
Token Creation
Your application must generate a JWT token with the following payload structure:
userId
string
Yes
Unique user identifier
email
string
Yes
User's email address (used for session validation)
role
string
Yes
User's role
iat
number
Yes
Issued at timestamp (Unix seconds)
exp
number
Yes
Expiration timestamp (Unix seconds)
The email field is critical for session validation. The middleware compares this email with the email from the user's session to detect if a different user is attempting to reuse a cached token.
Token Signing
Use HS256 (HMAC-SHA256) or RS256 (RSA-SHA256) algorithm
Recommended expiration: 24 hours (
exp = iat + 86400)The middleware does not verify the token signature; it only decodes and checks expiration
Signing Secret
Your application must generate and securely store a secret key for signing tokens. This secret is used with the HS256 algorithm (or a private key for RS256).
Generate a random string with at least 32 characters:
Store this secret as an environment variable in your application (commonly named JWT_SECRET as shown in the code examples, but you can use any variable name).
Keep this secret secure and never expose it in client-side code or version control.
Token Validation by Middleware
The middleware validates tokens by:
Expiration Check: Token
expmust be in the future (with 30-second buffer)Email Match: Token
emailmust match the session user's email (case-insensitive)
Token Storage (Client-Side)
The middleware stores the JWT token in the browser's localStorage:
Storage Key
auth_token
JWT token string
API Request Authorization
For /api/* Routes
All requests to paths starting with /api/ will include the JWT token as a Bearer token:
Your API endpoints should:
Extract the Bearer token from the
AuthorizationheaderVerify the token signature (using your secret key)
Check token expiration
Use the decoded payload for user identification
Example (Node.js/Express):
For Static Assets and Other Routes
Non-API routes (HTML, CSS, JS, images) are proxied with Basic Authentication from the middleware's environment:
This is configured via the DASHBOARD_BASIC_AUTH environment variable in the middleware.
Using Database Connection Strings
IoT Database URL (iotDbUrl)
The iotDbUrl provides a PostgreSQL connection string for the IoT database with a role that has read access to IoT data.
Format:
Example usage (Node.js with pg):
User Database URL (userDbUrl)
The userDbUrl provides a PostgreSQL connection string for user-specific data with Dashboard Studio role permissions.
Example usage:
Security Considerations
Never expose database URLs to the client/browser
Store connection URLs securely in server memory or encrypted storage
Use connection pooling to manage database connections efficiently
Consider setting connection timeouts to prevent resource exhaustion
Complete Integration Example
Checklist
Before integrating with App Connect, ensure your application:
Troubleshooting
"Token does not match current session"
This error occurs when the email in the cached JWT token doesn't match the email of the current session user. This typically happens when:
A different user logs in on the same browser
The session expired and a new session was created
Solution: The middleware automatically handles this by removing the old token and requesting fresh authentication.
"Authentication failed"
The middleware received a non-success response from your /api/auth/login endpoint.
Check:
Your endpoint returns
{ success: true, ... }on successYour endpoint returns a valid JWT in the
tokenfieldYour endpoint doesn't throw unhandled errors
API requests return 401
Check:
The client is sending the
Authorization: Bearer <token>headerYour API middleware correctly extracts and verifies the token
The token hasn't expired
Version History
1.0
2025-12-23
Initial contract documentation
Last updated
Was this helpful?