We're having issues initialising sessions in Smooch. We've successfully created a JWT token using the account level scope, and we've created a user (mycatalyst_test) using the API. When we use the API, we're able to access and query the user, create messages etc. correctly.
However, when we try to initialise the Smooch web messenger and log the user in:
Smooch.init({
appId: 'XXX',
userId: 'mycatalyst_test',
jwt: 'XXX',
embedded: true
});
We receive the error:
{"error":{"code":"forbidden","description":"Invalid scope"}}
We've checked the documentation and can't find any reference to the Invalid scope error or the Forbidden code in the Web Messenger documentation, and we're able to use the same JWT key to access the information through the API successfully, so we're not entirely sure what's going wrong.
We tried using the App scope rather than the Account scope to generate a new JWT key, but this also didn't work. We tried using the Smooch ID rather than the User ID, but this also didn't work.
We're at a bit of a loose end here, so would appreciate any pointers! (We're probably doing something stupid and obvious!).
See the documentation for authenticating users. When supplying a JWT to the login API, you must use a scope of appUser, otherwise you would be distributing JWTs to your users that give access to your whole account/app!
jwt.sign({
scope: 'appUser',
userId: userId
},
SECRET,
{
header: {
alg: 'HS256',
typ: 'JWT',
kid: KEY_ID
}
});
There is also this note in the authorization section of the REST API documentation:
An additional scope of appUser can also be used to authenticate users when using one of the Smooch native SDK integrations. For information on how and when to use this scope, see the guide for authenticating users.