This quick start guide will walk you through the basics of using JSON Web Tokens (JWT) in a Mattermost App in Go. In this guide you will review an App that:
manifest.json, declares itself an HTTP application that uses a bot account, uses JWT, and attaches UI elements to locations in the Mattermost interface.
sendfunction to a
/hello-jwtcommand and wraps it with a function to authenticate JWT.
Why you would want to use JWT for App development? Using a token, your App can validate the legitimacy of any request by ensuring it’s coming from the expected Mattermost server. Simply put, implementing JWT will enhance your App’s security and functionality via a handshake.
Before you can start with your App, you should first set up your environment by following the developer setup guide.
You also need Go v1.16 or later installed. Please follow the official guide to install the latest version.
cd golang/jwt docker compose up
You’ll see Docker install the Go modules and then the App will come online and print the following message:
Use '/apps install http http://mattermost-apps-golang-jwt:8084/manifest.json' to install the app Use "1234" as the app's JWT secret
The secret comes from this line in
var secret = byte("1234")
In a production app, you should generate the secret at random per App installation, and store on the App’s end to identify the specific Mattermost server.
Next, access your development Mattermost Server at http://localhost:8065 and use the
/apps install http http://mattermost-apps-golang-jwt:8084/manifest.json slash command to install the JWT App. Select
Agree to grant the app access to APIs and Locations, enter the JWT secret (1234), and click
Submit to finish the installation.
You can now use the
/hello-jwt send command. This will cause the App’s bot user to direct message (DM) you a response:
To understand the App, examine the following elements:
The App must provide a manifest, which declares App metadata. In this example, the following permissions are requested via the
Bindings specify how an App’s calls should be displayed and invoked from these locations. Locations are named elements in the Mattermost user interface.
The App creates a
/hello-jwt send slash command that checks the validity of the JWT.
Call handlers are functions that respond to user interactions and webhook events. The JWT App relies on one main call handler:
sendthat services the command and modal form submissions. This function is wrapped with
withJWTthat requires JWT, which calls
checkJWTto verify the provided token.
Apps may include static assets. Only one asset is used in this example for this App:
icon.png. Static assets must be served under the
Once you’re done with the App, you can uninstall it via the
/apps uninstall hello-jwt slash command. Alternatively, you can use
/apps debug clean to remove all data for all installed Apps.
To stop and clean up the App from Docker after you’re done, use the following command in the
docker compose down
You now know how to create a Mattermost App in Go that uses JWTs. If you have questions about building Apps or want to show off what you’re building, join us on the Mattermost Apps channel in the Mattermost Community server!