Authentication

Web authentication uses the same JWT model as the other TrainingKit clients.

When getAccessToken() is needed

Provide getAccessToken() in trainingkit.start() only when your TrainingKit API integration requires authenticated requests.

The Web SDK expects your frontend to retrieve the token from your backend, not to sign it locally.

getAccessToken: async function () {
  const response = await fetch('/api/trainingkit/token', {
    method: 'POST',
    credentials: 'include',
  })

  if (!response.ok) {
    throw new Error('Unable to retrieve TrainingKit access token')
  }

  const data = await response.json()
  return data.accessToken
}

Security requirements

• Issue JWTs server-side only.
• Keep the private signing key in your infrastructure only.
• Do not hardcode access tokens in frontend code.
• Return short-lived tokens from your backend.
• Bind user identity and authorization rules in your own backend before issuing the token.

For the full JWT contract, see API Authentication.

For the TrainingKit device/token handshake model, see SDK Authentication.