We’ve migrated our documentation to a new site, which means some URLs have changed.
Subscriptions

Provisional token verification for implicit login in SwG for Identity linking

The below article describes the Identity Linking provisional token verification for implicit login in Subscribe with Google flows.

For clients using Identity Linking, during the Subscribe with Google (SwG) flows on the web such as buy, auto-login and deferred account creation, Piano’s integration with Google leverages a “provisional token” that’s issued by Piano to act as temporary authentication for the user. The provisional token ensures that the user’s entitlements are recognized and they are no longer targeted with the paywall. However, the provisional token does not by itself indicate that the user is authenticated in the client's 3rd party user management system. This can be addressed in several ways.

Provisional token verification

The provisional token is a JWT issued by the Identity Management. As such, it can be verified for a valid signature. The token can be retrieved on the frontend at the moment of the flow completion, or alternatively on the backend by reading the __utp cookie.

On the front end, the externalCheckoutComplete event can be used as an indicator of the completed SwG flow. The handler of this event can retrieve the current token via the tp.pianoIdLite.getToken() function and send it to the website’s backend for verification. This is an example of such handler implementation:

tp.push(["addHandler", "externalCheckoutComplete", (data) => {
    // The "data" object has the following structure:
    // {
    //     type:"swg"
    //     flow:"<loginPrompt|deferredAccountCreation|buy>"
    // }
    switch (data.type) {
        case "swg":
            // Retrieve the issued provisional token
            var userToken = tp.pianoIdLite.getToken();
            // This is a mock function that's supposed to receive and validate the provisional token
            // Note that most likely  this function doesn't exist, it's presented only as an example
            ExternalUserSystem.validate(userToken).then((cookieData) => {
                // Assuming that the verification was successful - the session cookies must be set
                // Note that most likely this function doesn't exist, it's presented only as an example
                ExternalUserSystem.setSessionCookies(cookieData);
                // Reload the page
                location.reload();
            })
    }
}]);

The backend for such implementation would run the standard JWT verification. Various libraries for different languages that can be used for the JWT verification are available under the following link: https://jwt.io/#libraries-io.

For the verification secret, please reach out to our support at support@piano.io.

Acknowledgment of provisional token as a valid user session

Alternatively, the website can completely rely on the Piano’s JS to determine the login status of the user by leveraging the tp.pianoIdLite.isUserValid() function. For example by using this function prior to presenting the login/registration buttons.

Last updated: