Membrane Token Authentication

Membrane Token authentication uses Membrane's built-in token system for authentication. This is typically used for internal connectors or services that are aware of Membrane.

Membrane Token authentication is useful for:

Services that are specifically designed to work with Membrane
Testing and development scenarios

Configuration

In your spec.yml:

auth:
  type: membrane-token

With this authentication method, Membrane will add authentication headers to all requests to your API. It will contain a JSON Web Token signed by the Workspace Secret. The token will contain the following claims:

iss - Issuer, will be the key of the workspace integration runs in.
sub - Subject, will be the ID of the user who owns the integration being run.
fields - Fields of the user who owns the integration being run.

Headers

When using membrane-token authentication, Membrane sends two headers for backward compatibility:

X-Membrane-Token - The new, correctly named header (recommended)
X-Integration-App-Token - Legacy header (for backward compatibility)

Both headers contain the same JWT token value.

You can decode and verify either token to authenticate the request:

import jwt from 'jsonwebtoken'

// Use the new header (recommended)
const token = headers['x-membrane-token'] || headers['x-integration-app-token']
const workspaceSecret = process.env.WORKSPACE_SECRET

// Verify token
const decoded = jwt.verify(token, workspaceSecret)
// decoded will contain: { iss, sub, fields }

Migration from Legacy Token

If you're migrating from integration-app-token authentication:

Update your connector spec to use type: membrane-token
Optional: Update your code to read from the X-Membrane-Token header instead of X-Integration-App-Token
The X-Integration-App-Token header will continue to be sent for backward compatibility

Legacy Support

For backward compatibility, connectors using the deprecated integration-app-token type will continue to work and will only receive the X-Integration-App-Token header.