Защита приложений Crowdin

To ensure the high level of security for cases when the Crowdin app works with the data from Crowdin Enterprise (i.e. uses the authorization via authorization_code), we’ve developed a security mechanism. The main principle of this security mechanism is based on the exchange of the JWT token between Crowdin Enterprise and the Crowdin app. JWT token is signed with an OAuth Client Secret known only to the two final parties. This way, the Crowdin app can get a confirmation that the page is opened precisely in Crowdin Enterprise.


To implement the authorization and authentication in your Crowdin app, follow these steps:

  • Add the authorization via authorization_code to your app descriptor and add the OAuth Client ID that will be used for authorization.
  • Add the callback to your Crowdin app that will handle the Installed Event.
  • Specify the necessary set of scopes in your app descriptor needed for your Crowdin app. The specified set of scopes shouldn’t exceed the scopes specified in the OAuth.

Using the above methods, on each request to the Crowdin app, Crowdin Enterprise will pass a set of parameters along with a security token, which can be validated by a secret from the OAuth.

Below you can check out an example of the URL used by Crowdin Enterprise to open a module page.


Query parameters:


Type: string

Description: JWT token used for authorization.


Type: string (url)

Description: Host used for opening a module page.


Type: string

Description: The ID of the OAuth Client used for authorization.

The best practice would be adding middleware to the Crowdin app to verify whether each request has a token with a valid signature and expiry. You can use one of the existing libraries to validate the authenticity of the token.

JWT Token Structure

JWT token consists of the following parts:

  • Header - contains information about the type of the token and encoding algorithms.
  • Payload - contains additional information about the issue and expiration dates of the token, the information about the token issuer and requestor, and other contextual information.
  • Signature - the part with a signature based on the header and payload.

JWT token payload example:

  "aud": "Br4a2hpQiNW96anuuO4a",
  "sub": "1",
  "domain": null,
  "context": {},
  "iat": 1600000000,
  "exp": 1600000900



Type: string

Description: ID of the OAuth Client that issued the token.


Type: string

Description: Identifier of the user that is making a request to the Crowdin app.


Type: string|null

Required: yes

Description: The name of the organization from which the app is accessed.


Type: object

Description: The information about the environment where the Crowdin app module is opened (e.g., project, organization, locale, user's timezone, etc.).


Type: int

Description: Identifies the issue time of the token.


Type: int

Description: Identifies the expiration time of the token.

IP Allowlist for Crowdin Apps

If you configured an IP allowlist for your Crowdin Enterprise organization, you need to add your Crowdin app’s IP address to your organization’s IP allowlist. Also, implement the same IP allowlist in your Crowdin app for improved security. In this case, make sure to add the following IP addresses of Crowdin Enterprise:

Полезная информация

Была ли эта статья полезной?