Hello, the token is returning as 350 characters, whereas it should be 240 from the documentation, how can I fix this?
Hi @Farah_Abdulwahab thanks for asking. Can you clarify which documentation you are referring to that specifies length of token? We would to be happy to take a look to understand what might be going on here.
Thanks for clarifying this. The token you are seeing in the docs is an example, the length will not always been fixed and has some variability based on the token payload.
The easiest way to decrypt the token is to our node sdk. Have you tried this already? Using that is one line to get the token payload: const tokenObject = await copilot.getTokenPayload();.
We’ve put together a few examples on how to implement this. Checkout the custom-app base. This example uses NextJS and can be quickly deployed on Vercel. If you have a different stack/setup there might be some small changes.
GitHub - copilot-platforms/custom-app-base: This is the base repo for building Copilot custom apps that can be forked to create a new app..
Here is a specific part of the custom-app-base where there is an example of accessing the token from the query param and to find the session information.
I’m currently building a separate system using Node.js with Express, and it runs independently from the main Copilot app. I’m passing the token (from Copilot) via the URL to my site, and then forwarding it to this standalone Node.js server to decode it using the SDK method copilot.getTokenPayload().
However, I’m consistently getting an unauthorized token response.
Just to clarify:
My primary backend is Python-based (not Node.js).
I pass the token from Copilot to my site (hosted separately), and from there to the new Node.js project for decoding.
This Node.js project is not part of the main Copilot app and runs on a different domain.
The decoding step always fails with an unauthorized error.
Could this issue be due to the fact that the Node.js project is not recognized as the main Copilot backend or isn’t hosted under the same domain/origin?
Is there a requirement that the token must be decoded from within the same project/environment (e.g., domain-bound or session-aware)?
If there’s any documentation around how token verification works in custom setups like this — outside the default Next.js/Vercel environment — I’d really appreciate it.
@Farah_Abdulwahab you’ve got the right idea here and one thing I wanted to confirm is that you have set COPILOT_API_KEY env variable to the api key that was provided at the time you created the app. If that is not set or is using a different key you will get an unauthorized error.
Essentially where you initialize the sdk both properties need to be set and cannot be empty.
const copilot = copilotApi({
apiKey: process.env.COPILOT_API_KEY,
token: token,
});
How you set this env var really depends on your project. Without knowing the specifics the two most natural places I can say:
- if you are using a managed service to run the NodeJs/Express app you may have to set this environment variable there. This is most likely.
- If you have some deploy system, then its possible there is some place to set env variables there.
1 Like
A successful method I found was using the copilot-node-sdk and the copilotApi to get data from the token using the getTokenPayload function. However, there is still an issue: the token we use to decode is just a static token from our backend. Specifically, this token:
token_string = "945877eda264060760a687954bc1b421b542b222fefd1b938e0fb6273be3a4d99322e947622dfd41405dabb48042dc1e22ba85f555a65f967070a2cdc7c0b9a43b2b0a766dc7480417b71328f65aacf0659f8724cd563193e68ac5bb8a163703c4702f37182cf89f0a4079300a53f81d"
This token can be decoded, but other tokens cannot. This suggests that the token in the iframe is not passing correctly. any thoughts?
Can thoughts on above?
That’s great to hear that you were able to decode the value. The approach you describe is exactly what I would suggest.
Im not sure what you mean by just a static token. The token that gets passed to your app is generated dynamically using the api key for the app. If you are finding that the token received in your app cant be decoded then the issue is likely that you are not using the correct api key.
Can share the code of how you have setup your app to decode the token? Please do not share sensitive information like the api key and leave that out.
import express from 'express';
import bodyParser from 'body-parser';
import { copilotApi } from 'copilot-node-sdk';
const app = express();
app.use(bodyParser.json());
process.env.COPILOT_DEBUG = 'true';
process.env.COPILOT_ENV = 'local';
app.post('/decode_token', async (req, res) => {
const token = req.body.token;
try {
const copilot = copilotApi({
apiKey: process.env.COPILOT_API_KEY,
token: token,
});
console.log('====================================');
console.log(copilot);
console.log('====================================');
const tokenPayload = await copilot.getTokenPayload();
console.log('Successfully decoded token:', tokenPayload);
return res.status(200).json({
success: true,
payload: tokenPayload,
});
} catch (error) {
console.error('Failed to decode token:', error);
return res.status(400).json({
success: false,
error: 'Failed to decode token',
message: error.message,
});
}
});
const PORT = 5000;
app.listen(PORT, () => {
console.log(`Token decoder server running on http://localhost:${PORT}`);
});
Thanks, a few thingd come to mind.
- can you share how you are calling this endpoint that you’ve setup. Specifically, I would like to confirm how you are passing the token in the request body.
- Can you confirm where you got the value for the api key to set the env var value. If the token is passed in correctly but cannot be decoded than more than likely the api key being used incorrect.
- Last can you share the error you see in the
console.error('Failed to decode token:', error)` line.
This example requests this code which is parsed from the copilot iframe.
`curl --location 'http://localhost:5000/decode_token' \
--header 'Content-Type: application/json' \
--data '{"token":"2b808a4c61cc878d95277cb2aaaa9ae9b5d777907b07510ca925a7fc852773e9cbc1a9f105f5c04b85fa571b9e051f6e0705586de7fe0f5b34b8cf24657e6fc7c68af0f09d1051c6768d5ad990ad811e91ee28ce5a9117cd37ae5a7a825cb89e1471e3a40b2312da06845f7b9318b70986a989f732aea9dcc2e289eadb043a0dbdc23cbbfe92b7200732e118df1360c757a677e2683734394d8ee8fdbb26d0aa"}'`
I deleted the second message you shared above because it showed your api key in the error logs.
Based on what you’ve shared above, the issue you are facing is very likely that the API KEY you have set in the env vars in the NOT the same as the api key for this app. Each custom app you add in your workspace has a different api key. The token that’s provided is signed with the specific key for that app and so the same key needs to be used when decrypting. If you don’t have the api key you will have to re add the app in your workspace and you will be presented with a new key that you can use.
got it, will do and thank you
I created a new token, as shown in the image, called “decode.” However, I cannot decode the token sent by Copilot. Is it because it is not the same token used by Copilot? If so, how can I create a new token and use it on both Copilot and the decode side (SDK NodeJS)?
The “token” you have created called decode is a new API Key that is not the same as an app API key that you need to decode a token passed to the app.
To create an api key for the for an you want to follow the setting up your first app instructions and use the api key generated here in your env variables.
Keep in mind the token you were using previously wont work with this api key. You will have to get the token by viewing the new app that you added.