Generate Client Tokens

Virgil Security gives you complete control over authentication by allowing you to authenticate users or devices using secure JSON Web Tokens (JWTs). You generate these tokens on your backend, pass them back to a client device, and then use them to initialize the E3Kit.

In this guide we'll show how to generate client tokens at your backend using our Crypto Library and Core SDK.

Before you begin

The first thing you need to do is to generate an App Key for your Virgil Application. If you don't have one yet, use the Virgil Security Developer Dashboard to sign up and create an application for your project.

Install Virgil Core SDK



npm install virgil-sdk virgil-crypto


yarn add virgil-sdk virgil-crypto

Collect your Virgil developer credentials

APP_IDThe ID of your Virgil Application - create one at Virgil Dashboard.
APP_KEYApp Keys consist of a public-private key pair specific to a Virgil Application. The private key is held by your backend and used to sign unique JWTs for each user, and the public key is stored in the Virgil Cloud to verify the signature of the JWTs to allow those users to perform operations on Virgil Cloud.
APP_KEY_IDID of your generated APP_KEY. Find it next to your generated App Key in the dashboard.

Set up server side and generate JWT

Set up the JwtGenerator and generate a JWT using the Virgil Core SDK at your backend.

Here is an example of how to generate a JWT:

// server.js

const express = require('express');
const { initCrypto, VirgilCrypto, VirgilAccessTokenSigner } = require('virgil-crypto');
const { JwtGenerator } = require('virgil-sdk');

async function getJwtGenerator() {
  await initCrypto();

  const virgilCrypto = new VirgilCrypto();
  // initialize JWT generator with your App ID and App Key ID you got in
  // Virgil Dashboard.
  return new JwtGenerator({
    appId: process.env.APP_ID,
    apiKeyId: process.env.APP_KEY_ID,
    // import your App Key that you got in Virgil Dashboard from string.
    apiKey: virgilCrypto.importPrivateKey(process.env.APP_KEY),
    // initialize accessTokenSigner that signs users JWTs
    accessTokenSigner: new VirgilAccessTokenSigner(virgilCrypto),
    // JWT lifetime - 20 minutes (default)
    millisecondsToLive:  20 * 60 * 1000

const generatorPromise = getJwtGenerator();

app.get('/virgil-jwt', (req, res) => {
  const generator = await generatorPromise;
  // Get the identity of the user making the request (this assumes the request
  // is authenticated and there is middleware in place that populates the
  // `req.user` property with the user record).
  const virgilJwtToken = generator.generateToken(req.user.identity);
  // Send it to the authorized user
  res.json({ virgilToken: virgilJwtToken.toString() });

For this tutorial we've created a sample backend that demonstrates how you can set up your backend to generate the JWTs. To set up and run the sample backend locally, head over to your GitHub repo of choice:

Node.js | Golang | PHP | Java | Python and follow the instructions in README.

Now you can generate JWT on your backend to initialize E3Kit on client side.

Next step

Setup and initialize Virgil E3Kit on your client side: