How to pass JWT token of Logged-IN user in API call via script

I am using Squidex Identity server to protect API calls so we need to pass JWT token on each API call. I have some custom script which run on content change and I want to pass JWT token of logged-in user in the API call.

I can see, etc available. Is there a way to get hold of token which I can pass?

var url = ‘’;
var headers = {
Authorization: Bearer 'Token’

getJSON(url, function(result) {

}, headers);

It is not possible because at the moment. Because the scripts do not necessarily run in the context of a http request.

The question is: What token? The normal token is only usable in the context of the Squidex frontend.

I am talking about below token which is currently being passed on /api, /schema calls. I am able to use same token to get Content also via API calls. I captured from network tab. I thought if somehow I can access this token in Scripting and pass it to outgoing API call in header.


Yes, but a lot of scripts to do not run in the context of a request.

But in your profile you can create a permanent access key and secret, which can be used for authorization.

You mean, ClientId/Secret , right?

Yes, sorry, this is what I mean.

Sure, thanks. I will go with this option.

1 Like

Looks like we only have GET method but https://squidexserver/identity-server/connect/token is a POST operation.

getJSON(url, function(result) {

}, headers);

Yes, you are right. Perhaps I can provide another solution and write an extension to create a token from a user id or something like that. But I am not sure which security implications it has.

Is there no other way? I am mean if the API is in the same network can you just not allow internal traffic?

Ok, API and Squidex are not in same network and that’s why I wanted to do this. I will figure out something else. No worries.

You can use a second authorization and implement a simple API key. I have done this as well, takes only a few hours.

I am not sure if you use ASP.NET Core, you can add several authentication methods and then write a policy authorization schema which selects the actual schema based on header values and so on, e.g. use ApIKey if defined, or Bearer Token otherwise:

I was already thinking about ApiKey approach :slight_smile: