Domino uses the OpenID Connect (OIDC) protocol to generate user-specific JWT tokens, or Domino Tokens. Domino securely signs this Domino token and makes it available in your Workspace, Job, App, Scheduled Job, or Launcher. You can use it to authenticate to third-party resources or data sources. Additionally, this token can be used to authenticate with the Domino API.
Because the token is short-lived and Domino automatically refreshes it, an example of when you can use it is if you want to limit a user’s access to a data source exclusively from Domino. This has security advantages over provisioning long-lived keys that can be used anywhere or by anyone.
Workspaces, Jobs, Apps, Scheduled Jobs, and Launchers have a Domino Token for the user.
This is at path
This is indicated by environment variable
By default, the Domino Token expires at five minutes, but is automatically refreshed throughout your workspace or job.
For example, from a workspace, you can authenticate to one of the Domino APIs with the following:
TOKEN=`cat $DOMINO_TOKEN_FILE` curl -H "Authorization: Bearer $TOKEN" $DOMINO_API_HOST/v4/users/self
Each system will have different steps for configuration but will likely require that you enter Domino’s JWKS endpoint which is
For offline services, retrieve and record the JWKS data to use offline with your library.
Alternatively, you can use the public key or certificate which can be found at
See JSON Web Key Sets to learn more about JWKS.
By default, the Domino Token contains standard claims like name, username, and email, but you add mappers in the
domino-play client in Keycloak to include additional custom claims.
This can be useful if you intend to set up bounded claims in the system to which you are integrating.
For example, you might want to only authorize users with a specific organization claim or any other SAML assertion that flows into Domino from your Identity Provider.
See JWT.io for information about decoding and inspecting the content of a JWT token.