Skip to main content

ValorIDE JWT Launch Flow

This explains how onboarding produces a JWT and how the VS Code extension uses it for instant, authenticated launches.

High level

User completes onboarding and receives a JWT (login response)
Web app stores the JWT in localStorage/sessionStorage
Web app opens VS Code extension via vscode:// URI
Extension reads token from browser-local storage (via webview) or environment/Secrets and initializes authenticated context

Best practice (recommended)

Avoid passing JWT in the URI (not reliable and can exceed URL length)
Use a localStorage bridge: store token in localStorage and send a short postMessage to opener if available
Extension should read token from multiple sources and then persist to VS Code secrets for future launches

Example (user flow)

Web app (onboarding):

localStorage.setItem("valoride_jwt", token);
window.open("vscode://valkyrlabsinc.valoride-dev");

Extension activation (pseudocode):

const token =
  (await context.secrets.get("valoride.auth.token")) ||
  process.env.VALORIDE_JWT ||
  (await getBrowserStorageToken());
if (token) initializeWithAuth(token);

Security notes

Persist JWT only in secure storage (VS Code secrets) for production
Rotate tokens and enforce short lifetimes + refresh flows
Never echo JWT into logs or public URLs

See also: JWT Quick Reference

High level
Best practice (recommended)
Example (user flow)
Security notes