Manage Users Via API

Create, modify, or remove users via Legito API


For authentication Legito API uses a Bearer authentication scheme with JSON Web Token (JWT).

In the JWT bearer authentication flow, your application posts a JWT to the Legito service, asserting its credentials and providing the data of the user that it wishes to impersonate (act on behalf of). Legito validates that the assertion is signed and that your application has the permission to act on behalf of the user.


First you need to generate an API key and a private key in Legito aplication My account -> Settings -> Developers -> API.

Create a JWT token

To authenticate in the JWT bearer flow, you will need to create a JWT token and include it in authorization header for each of API requests you send to Legito.

In its compact form, JSON Web Tokens consist of three parts separated by dots (.), which are:

  • Header
  • Payload
  • Signature


The header, shown below, specifies the type of the token and algorithm used for signing it. For a Legito service integration, the header structure should always have a type of JWT and use HS256 as its algorithm.

  "alg": "HS256",
  "typ": "JWT"


The payload section contains the data for the claims that your application is making. Each legito JWT must contains the following set of claims, as shown below.

Claim Description
iss API key (generated in prerequisites which idetifies your workspace.
iat Timestamp when the JWT was issued, in Unix epoch time format.
exp Timestamp when the JWT assertion will expire, in Unix epoch time format. Default and maximal value is one hour from issed time.
  "iss": "94afa3c5-a1d5-4657-a8a6-7f968820792c",
  "iat": "1587459071",
  "exp": "1587462671"


The signature part of the JWT is a digital signature that enables Legito to verify that the JWT was created by your application and was not modified since it was created. The first two parts of the JWT are signed with your application’s private key using HS256 digital signature algorithm.

Secret to HS256 algorithm is your generated private key

Example Signature

  base64UrlEncode(header) +
  "." +

Creation of authorization header

All of your API requests must include Authorization HTTP header with bearer scheme whitch contains JWT token

Authorization: Bearer <jwtToken>