How does the JWT works?


the service provider responsible for our OnlyOffice installation has updated the software. This new version requires a Json Web Token.

So I started digging to implement this token, but I don’t understand how it works, and especially what information to put in the payload. I manage to access the document with an empty token, but the edition no longer registers and I have a WebSocket error :

sockjs.min.js:2 WebSocket connection to ‘wss://’ failed:

The JWT used :

The javascript config is generated with php (Laravel blade template) :

config = {
        "document": {
            "fileType": "{{ $file->name }}".split(".").at(-1),
            "key": key,
            "autosave": false,
            "title": "{{ $file->name }}",
            "url": "{{ $address }}",
        "documentType": doctype,
        "editorConfig": {
            "mode": "{{ $mode }}",
            "callbackUrl" : "{{ $callbackParam }}",
            "lang" : 'fr',
            "customization": {
                "logo": {
                    "image": "",
                    "url": ""
        "height": "100%",
        "width": "100%",
        "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.e30.5IuXpdN4fObi2fx6W5CGCNoz6SJXz8Kvjc1n15krGFo"

    window.docEditor = new DocsAPI.DocEditor("placeholder", config);

The JWTs listed in the OnlyOffice documentation cause an invalid token error.

Several questions :

  • My service provider has set up a password, where am I supposed to enter it?
  • Does the Json Web Token have to have a precise signature or can I put any character string?
  • How to make the Json Web Token have all the permissions, and that it is the same to view, edit, co-edit etc a document (the permissions are managed upstream in PHP)

You would be of great use to me if you helped me a little bit, it’s the first time I’ve used JWTs and all of this is not very clear to me…

Thank you very much !

Everything regarding JWT usage in ONLYOFFICE Document Server is described in the articles below:
There are sample tokens provided in the articles, you can copy these and paste to to find exactly how the payload is formed.

If you are not very familiar with JWT, you can disable it in the Document Server config as described here: