The authentication bearer defines the ownership and level of access in all requests to the Intrasheets server. Your backend should provide a signed JWT to the frontend, and the Intrasheets should be capable of verifying the authenticity of all HTTP requests. For this reason, the JWT_TOKEN_SIGNATURE should be the same in both application and Intrasheets server.

Anonymous users

Anonymous users can access public spreadsheets without any token or private spreadsheets with a valid invitation code.

Invitation code

When an authenticated user uses the invitation code, that becomes bound to that user. So, the code is no longer available for any other user.

Your application can verify if the invitation code is valid using the following request.
// Create a temporary JWT to validate a invitation code
    'exp': time() + 30, // Valid for 30 seconds
    'user_id': 111, // false for anonymous users
    'guid': 'spreadsheet-unique-identifier',
    'small_token': 'invitation-code',
    'scope' => ['invitation'],

curl -X POST -H "Authorization: Bearer {token}"

// Fail will return
{ error: 1, message: 'reasons' }

// Success will return
{ success: 1, data: { sheet_id: 11111 } }

If you have a valid token, the sheet_id will return so you can create a signed JWT for the frontend.

Authorization JWT for anonymous user in a private spreadsheet

    // The unique user identification of your user inside the backend application
    "sheet_id": 11111,
    // The full name of the user
    "small_token": "invitation-code"

Logged users

Authenticated users should receive the following Authorization JWT.
    // The unique user identification of your user inside the backend application
    "user_id": 999,
    // The full name of the user
    "user_name": "Who is logged",
    // The Guid identification provided by the Intrasheets saved on the backend application
    "user_signature": "intrasheets-guid-per-user",
    // This is the JWT expiration date. That can is optional when the JWT does not have expiration date.
    "exp": "unix-timestamp"

User signature

The user_signature is a property provided by the Intrasheets server. You can request that via API, for example:
// Authentication bearer to generate a new the user_signature (this should be signed)
    'exp' => time() + 30, // Valid for 30 seconds
    'user_id' => 999,
    'scope' => ['signature'],
curl -X POST -H "Authorization: Bearer {token}"