Customizing the JWT

At a minimum, the JWT (JSON Web Token) passed from your application to the Pandium In-App Marketplace must offer a unique identity for the user accessing the marketplace. Nevertheless, the token’s functionalities go beyond simply logging a user into Pandium.

By customizing the JWT, you can configure various options, like displaying specific integrations to certain users, defining user groups, and executing other actions tailored to your requirements.

Note: The In-App Marketplace and related features are not included in the Pandium Lite offering.

Customizing Marketplace Views

When configuring your marketplace, you might need distinct views based on user and app groupings.

This customization can be seamlessly achieved by manipulating a JWT. By specifically identifying users and apps through email and ID within the xti (extra tenant information) field in the JWT, and following predefined rules set by Pandium to support these rules, you can unlock several possibilities.

Below are a few relevant use cases for changing the marketplace view:

Displaying Multiple App Types to a Single User

If you wish to selectively present certain integrations to a user, you can refer to the app ID in the JWT. Specify a list, for example, using a field like ‘hidden_integrations,’ and those apps will not be visible to specific user(s).

Showing Different Marketplaces By a User Group

Similarly, you can define a group, such as. ‘user_group’ or ‘user_tier’ in the xti field. List the apps you want to display for that particular group.

Managing Integration Installs Based on User Groups

Once again, within the same xti field, you can define a user group and introduce parameters like ‘allowed_installs.’ This feature can limit the number of apps a user is permitted to install. For additional use cases, please reach out to your Technical Account Manager so that we can collaborate on supporting these functionalities.

Note: The Marketplace and related features are not included in the Pandium Lite offering.

Linking Legacy Integrations in the In-App Marketplace

If you have existing apps linked to existing "legacy" integrations and wish to showcase them in the embedded marketplace, enabling customers to link out to installed instances, follow these steps:

1. Create an External Integration - find instructions here.

2. In the JWT, under the external integration ID field represented by ili, insert the value passed into the JWT. If the customer has the integration installed, it will be visible in the marketplace; if not, it won't show, and the app will appear normally.

3. In the external integration URL field on an external integration, paste the URL where the integration lives in your system.

The JWT payload is where your application encodes custom information or claims about your user.

Refer to table below for a list and descriptions of the claims your JWT should contain:

JWT Payload:

The JWT payload is where your application will encode the custom pieces of information, or claims, about your user.

The table below provides a list and descriptions of the claims your JWT should contain.

The table below provides a list and descriptions of the properties of the object mentioned above.


 "iat": 1621521641,
 "jti": "1cfa7dbf-8110-4237-ad22-410608791b7d",
 "ti": {
   "udn": "Pandium Test",
   "ufn": "Important Person",
   "uem": "",
   "ili": [
   "aid": "",
   "adn": "",
   "xti": {
     "extraProp": "extra value",
     "extraList": [
 "sub": "test-pandium-com"


The JWT signature is produced by concatenating the Base64url encoded header with the Base64url encoded claims, and then signing using the shared secret using HMAC with SHA-256.

HMAC-SHA256(base64url-encoded(header) + "." + base64url-encoded(payload)), <shared secret>)

A complete example.


Last updated