Prophy API
API reference
Webhooks

User login

Overview

Prophy offers a JWT-based login mechanism that allows users from your system to access the Prophy platform directly without requiring separate registration. This enables seamless navigation between your platform and Prophy.

Key features:

  • No registration — your users won't have to register in Prophy and remember a password.
  • Click to go to Prophy — embed 'go to Prophy' buttons in your interface wherever transitions to Prophy are needed. A single click will authenticate the user and redirect them to the appropriate page in Prophy.
  • Resource-Specific Access — Prophy will give the user all necessary access and roles to work with the manuscript.
  • Time-limited sessions — each session after logging in via the JWT will last only one hour, which adds additional protection against unauthorized access.
  • Time-limited manuscript access — your system can specify how long access to a particular manuscript is granted. For example, a user may access a manuscript only during a grant call duration.
Endpoint 
https://www.prophy.ai/api/auth/api-jwt-login/

To use this endpoint, append your JWT as a URL parameter named token: 

https://www.prophy.ai/api/auth/api-jwt-login/?token=JWT

Why JWT?

JWT allows to pass information from your system to our system through the user's browser without direct communication between the systems. It's cryptographically signed, so a user cannot edit it. It's also time-restricted for additional security.

You can refer to the following materials:

Best practice

When implementing "go to Prophy" buttons in your interface, they should not contain JWT tokens in them. Instead, the button should point to a secure backend endpoint in your application, which will verify the user's current session/permissions, generate a JWT token server-side, and then redirect the user to Prophy.

This achieves several things:

  1. JSON Web Token is time-restricted, so if the page in a user's browser was opened for a long time (everybody's got different workflows), the redirect will work, because it's generated at the time of a click, and not at the time of opening a page.
  2. You only need to generate and sign one token per click, instead of possibly tens of tokens per page (e.g. if you want to include links to authors profiles).
  3. It's harder to accidentally copy link with JWT and send it to an unauthorized user.

JWT creation workflow

  1. Construct JWT payload according to the user's needs.
  2. Use your JWT Key to generate the JWT. A user with Integrations admin quota can view and manage the JWT Key on the Integrations dashboard.
  3. Generate login URL, by adding the JWT to the User login endpoint as URL parameter: 
    https://www.prophy.ai/api/auth/api-jwt-login/?token=JWT
  4. Redirect the user to the URL with a GET request.

JWT claims

JWT header

JWT header is always the same: 

{
  "alg": "HS512",
  "typ": "JWT"
}
JWT payload
Field Description
sub
string required
Your JWT Sub. Identifies the issuer of the JWT.
organization
string required
Your organization code. Defines an organization into which the user should be logged in.
iat
float required
UNIX timestamp when the token was generated. It determines the session start and end time.
email
string required
Email of the user to log in
folder
string required
A folder name. The user will be assigned to the folder's team and will have access to all manuscripts in the folder unless temp-access-until is specified.
manuscript_id
integer
Manuscript ID in the Prophy database. The user will be redirected to the referee finder interface of the manuscript. origin_id can be used instead.
origin_id
string
Client-side ID of the manuscript. The user will be redirected to the referee finder interface of the manuscript. manuscript_id can be used instead.
author_id
integer
Author ID in the Prophy database. The user will be redirected to the author profile page.
temp-access-until
float
UNIX timestamp until which the user is given access to the manuscript. Applies only if the manuscript_id or origin_id was provided. If specified, the user will have access only to the specific manuscript, rather than all manuscripts in the folder.
custom_author_id
integer
Author ID in the Prophy database. Identifies a candidate that will be highlighted in the Referee Finder interface. Applies only if the manuscript_id or origin_id was provided.

Exactly one of manuscript_id, origin_id, author_id is required to define a redirect location.

Example GET request

Example JWT Key is qwe. Debugger link.

curl -X GET -L "https://www.prophy.ai/api/auth/api-jwt-login/?token=eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJUZXN0IE9yZyIsImlhdCI6MTc0NDk3NjAyOSwiZW1haWwiOiJ1c2VyQGV4YW1wbGUtZW1haWwuY29tIiwib3JnYW5pemF0aW9uIjoiVGVzdCBPcmciLCJqb3VybmFsIjoiVGVzdCBKb3VybmFsIiwib3JpZ2luX2lkIjoidGVzdC1wcm9wb3NhbCJ9.zz3HMrEx23IiWIlwBfCe4ZbC1Vbt5RNCLa-qVuO8LqhDPsO5agP5ylpF7Rf2xoyjS4gP_hjFfi2aKlfVWSUVWg"