Skip to main content

Membrane Token Authentication

Membrane Token authentication uses Membrane’s built-in token system for authentication. This is typically used for internal connectors or services that are aware of Membrane. Membrane Token authentication is useful for:
  • Services that are specifically designed to work with Membrane
  • Testing and development scenarios

Connector Definition

Example Membrane Token connector definition: 
# Connector definition: Use Membrane's built-in token authentication
type: membrane-token
With this authentication method, Membrane will add authentication headers to all requests to your API. It will contain a JSON Web Token signed by the Workspace Secret. The token will contain the following claims:
  • iss - Issuer, will be the key of the workspace integration runs in.
  • sub - Subject, will be the ID of the user who owns the integration being run.
  • fields - Fields of the user who owns the integration being run.

Headers

When using membrane-token authentication, Membrane sends two headers for backward compatibility:
  • X-Membrane-Token - The new, correctly named header (recommended)
  • X-Integration-App-Token - Legacy header (for backward compatibility)
Both headers contain the same JWT token value. You can decode and verify either token to authenticate the request: 
import jwt from 'jsonwebtoken'

// Use the new header (recommended)
const token = headers['x-membrane-token'] || headers['x-integration-app-token']
const workspaceSecret = process.env.WORKSPACE_SECRET

// Verify token
const decoded = jwt.verify(token, workspaceSecret)
// decoded will contain: { iss, sub, fields }

Migration from Legacy Token

If you’re migrating from integration-app-token authentication:
  1. Update your connector definition to use type: membrane-token
  2. Optional: Update your code to read from the X-Membrane-Token header instead of X-Integration-App-Token
  3. The X-Integration-App-Token header will continue to be sent for backward compatibility

Legacy Support

For backward compatibility, connectors using the deprecated integration-app-token type will continue to work and will only receive the X-Integration-App-Token header.