Skip to main content

JWT — ValorIDE Quick Reference

Essential JWT handling for ValorIDE and ValkyrAI integrations.

Where to store tokens

  • Development: sessionStorage/localStorage (short-term)
  • Production: use secure remote-refresh flow + store short-lived token in VS Code Secrets

Common patterns

  • On login, web app receives token and authenticated principal object
  • Store token in localStorage for webviews, then bridge into extension using postMessage/localStorage
  • Extension persists token in context.secrets for secure storage
  • Access token: short-lived (5–15 minutes)
  • Refresh token: rotate frequently; store securely server-side when possible

Example: Obtain token (login flow)

const resp = await loginUser(payload);
const token = resp.token;
sessionStorage.setItem("jwtToken", token);
localStorage.setItem("valoride_jwt", token);

Example: Extension read sequence

  1. context.secrets
  2. environment variable VALORIDE_JWT
  3. browser localStorage via webview
  4. prompt user to authenticate

Security checklist

  • Do not leak tokens in URLs or logs
  • Use HTTPS for all token transit
  • Use CSP and secure webviews for token access

See also: ValorIDE JWT Launch Flow