meinGPT LogomeinGPT Docs
WebsitePlatform Login
User GuidePrompting GuideAdmin GuideRollout GuidePrivacy & SecurityIntegrationsAPI

Security & Authentication Proxy

Restrict access to meinGPT-originated sessions and enforce secure identity forwarding

Target model

Your app accepts only traffic coming through meinGPT and treats meinGPT as a trusted authentication proxy.

Quick start

Receive the token - The JWT is passed in the URL hash:

const token = new URLSearchParams(window.location.hash.slice(1)).get('token');

Verify the token - Validate signature and claims on your backend via JWKS.

Handle expiry - Tokens expire after 1 hour; refresh is done via postMessage.

Required checks in your app

  • Verify JWT signature via JWKS
  • Validate iss against meinGPT
  • Validate aud against expected organizationId
  • Validate exp/iat
  • Reject requests without a valid token

JWKS endpoint:

https://app.meingpt.com/api/custom-apps/v1/jwks/{organizationId}

Relevant JWT claims

ClaimDescription
issalways https://app.meingpt.com
subunique user ID
audorganization ID
exp / iatexpiry and issued-at times
email, usernameuser identity
role, teamsrole/team context for authorization

For the cross-cutting platform pattern, see JWT Identity Forwarding.

Allow only meinGPT as embedding source

Set CSP for your frontend:

Content-Security-Policy: frame-ancestors https://app.meingpt.com;

Optionally add additional allowed domains if your deployment requires them.

Proxy pattern for third-party APIs

  • Keep API keys server-side in your app
  • Frontend calls only your backend endpoints
  • Backend enforces permissions based on meinGPT JWT claims

This way, meinGPT acts as identity source and your backend as policy enforcer.

Minimal middleware (Node/Express)

import * as jose from 'jose';

const JWKS = jose.createRemoteJWKSet(
  new URL('https://app.meingpt.com/api/custom-apps/v1/jwks/<ORG_ID>')
);

export async function requireMeinGPTAuth(req, res, next) {
  try {
    const token = req.headers.authorization?.replace('Bearer ', '');
    if (!token) return res.status(401).json({ error: 'Missing token' });

    const { payload } = await jose.jwtVerify(token, JWKS, {
      issuer: 'https://app.meingpt.com',
      audience: '<ORG_ID>',
    });

    req.user = payload;
    next();
  } catch {
    res.status(401).json({ error: 'Invalid token' });
  }
}

v0

Securely pair v0-generated frontends with your own backend

How it works

Architecture, functionality and supported services of the meinGPT DataVault

On this page

Target modelQuick startRequired checks in your appRelevant JWT claimsAllow only meinGPT as embedding sourceProxy pattern for third-party APIsMinimal middleware (Node/Express)Related docs