Domino uses the OpenID Connect (OIDC) protocol to generate user-specific JWT tokens, or "Domino Tokens". This Domino token is signed by Domino and made available in your Workspace, Job, App, Scheduled Job, or Launcher. The token is securely signed by Domino. You can use it to authenticate to third party resources or data sources. Additionally, this token can be used to authenticate with the Domino API.
As the token is short lived and automatically refreshed by Domino, it can be used in scenarios where you would to limit a user’s access to, for example, a data source exclusively from Domino which has security advantages over provisioning them long lived keys that can be used anywhere or by anyone.
Workspaces, Jobs, Apps, Scheduled Jobs, and Launchers have a Domino
Token for the user. This is at path
This is indicated by environment variable
default the Domino Token has an expiration of 5 minutes, but is
automatically refreshed throughout your workspace or job.
For example, from a workspace, you can authenticate to one of the Domino APIs with the following:
TOKEN=`cat $DOMINO_TOKEN_FILE` curl -H "Authorization: Bearer $TOKEN" $DOMINO_API_HOST/v4/users/self
Each system will have different steps for configuration but will likely
require you to enter Domino’s JWKS endpoint which is
For offline services, retrieve and record the JWKS data to use offline
with your library. Alternatively, you can use the public key or
certificate which can be found at
By default, the Domino Token contains standard claims like name, username and email, but additional custom claims can be included by adding additional mappers in the domino-play client in Keycloak. This may be useful if you intend to set up bounded claims in the system you’re integrating to. For example, you might want to only authorize users with a specific organization claim or any other SAML assertion that flows into Domino from your Identity Provider.
JWT.io is a useful resource for decoding and inspecting the content of a JWT token.