JSON Web Token (JWT)

Some widget use cases require validated data integrity from your backend to prevent misuse by end-users or malicious actors. In such cases, you need to create and sign a JSON Web Token (JWT) using a public/private key pair, and pass that token to widgets as properties.

#Prerequisites

Before starting this tutorial, ensure you have:

OpenSSL toolkit installed for generating RSA keys
Backend development environment (Node.js, Python, Java, or similar) capable of signing JWT tokens
JWT library for your backend language (e.g., jsonwebtoken for Node.js)
Access to your Sportradar account representative to submit your public key
Product-specific credentials if implementing Virtual Stadium or Bet Concierge:
- Virtual Stadium API key (provided during onboarding)
- Bet Concierge brand ID (provided during onboarding)

#Implementation Steps

The following diagram illustrates the JWT authentication flow:

#Step 1: Generate RSA Key Pair

Generate a pair of RSA keys using the OpenSSL toolkit:

# Generate private key (2048-bit RSA)
openssl genrsa -out rsa-private.pem 2048

# Extract public key from private key
openssl rsa -in rsa-private.pem -pubout -outform PEM -out rsa-public.pem

This creates two files:

rsa-private.pem - Keep this secure on your backend server
rsa-public.pem - Send this to Sportradar

warning

Never expose your private key (rsa-private.pem) in client-side code, version control, or logs. Store it securely using environment variables or a secrets management system.
Never generate or sign JWT tokens in client-side JavaScript. Always create tokens on your backend to keep your private key secure.

Next action: Send the rsa-public.pem file to your Sportradar sales or client setup representative. They will configure the system to validate tokens signed with your private key.

#Step 2: Create JWT Tokens for Users

Every logged-in user requires their own unique JWT. You have two implementation options:

Generate on-demand: Create a new token for each page request
Cache with TTL: Generate once and cache on your backend until near expiration

#Required Base Claims

All JWT tokens must include these standard claims:

javascript

{
    sub: '<id>',
    scope: 'av' | 'vs' | 'sb' | 'av vs sb',
    iat: 1681718850
}

Claim Descriptions:

Claim	Type	Description	Example
`sub`	string	Unique end-user identifier. Use your system's user ID or a salted hash if you prefer not to expose actual IDs.	`'user_12345'` or `'a3f5b2c8d1e4'`
`scope`	string	Space-separated permissions for this user. Controls access to specific features. `av` - Enables audio/video stream access in Live Match Tracker. `vs` - Virtual Stadium access. `sb` - Bet Concierge access	`'av vs'` for LMT audio/video and Virtual Stadium (space-separated)
`iat`	number	Token issued-at timestamp in seconds since Unix epoch (UTC). Default validity: 16 hours.	`1681718850`

tip

The iat claim is typically added automatically by JWT libraries. You can also add an exp (expiration) claim to set a shorter validity period than the default 16 hours.

#Additional Claims for Virtual Stadium

If implementing Virtual Stadium (scope vs), include these additional claims:

javascript

{
    // Base claims (sub, scope, iat)
    apiKey: '<key>',
    userId: '<id>',
    displayName: '<userName>',
    userType: 'Normal' | 'VIP'
}

Claim	Type	Description	Example
`apiKey`	string	Your Virtual Stadium API key (provided during onboarding)	`'vs_api_key_abc123'`
`userId`	string	Unique identifier for the user in Virtual Stadium	`'user_12345'`
`displayName`	string	Public name shown to other users in the Virtual Stadium interface	`'JohnDoe'` or `'Player123'`
`userType`	string	User access level: `'Normal'` or `'VIP'`. VIP users have highlighted chat messages.	`'VIP'`

#Additional Claims for Bet Concierge

If implementing Bet Concierge (scope sb), include these additional claims:

javascript

{
    // Base claims (sub, scope, iat)
    // ... plus:
    sbBrandId: '<id>',
    sbUserType: '<type>'
}

Claim	Type	Description	Example
`sbBrandId`	string	Your brand identifier (provided during onboarding)	`'brand_xyz789'`
`sbUserType`	string	Access level or category for the user in the bet concierge system. Can be any string value agreed upon with Sportradar during your client setup. This value is used for rate limiting and must be registered with your client setup configuration before issuing JWTs with it. Can be left empty if only a single user type is expected (e.g., in a development environment).	`'premium'` or `'standard'`

#Step 3: Sign the Token

Sign the JWT using your private key from Step 1. The signing algorithm must be RS256 (RSA Signature with SHA-256).

#Node.js Example

javascript

import jwt from "jsonwebtoken";

// Create token with base claims
const token = jwt.sign(
  {
    sub: "user_12345",
    scope: "av vs", // Audio/video + Virtual Stadium
    // iat is added automatically
  },
  process.env.PRIVATE_SIGNING_KEY,
  { algorithm: "RS256" },
);

#Example With Virtual Stadium Claims

javascript

const vsToken = jwt.sign(
  {
    sub: "user_12345",
    scope: "vs",
    apiKey: process.env.VS_API_KEY,
    userId: "user_12345",
    displayName: "John Doe",
    userType: "Normal",
  },
  process.env.PRIVATE_SIGNING_KEY,
  { algorithm: "RS256" },
);

#Step 4: Pass JWT to Widgets

Deliver the signed JWT from your backend to your frontend application, then pass it to the widget during initialization.

Pass the JWT as a property when adding the widget using SIR:

javascript

SIR("addWidget", "#my-widget", "widget_name_here", {
  jwt: generatedJwtToken,
  // ... other widget properties
});

#Complete Frontend Example

html

<div id="lmt-widget"></div>

<script>
  // Assume 'userJWT' is passed from your backend
  const userJWT = "{{ jwt_from_backend }}";

  // Initialize Live Match Tracker with JWT for audio/video
  SIR("addWidget", "#lmt-widget", "sr-widgets-lmt", {
    matchId: "sr:match:12345",
    jwt: userJWT,
    // ... other configuration
  });
</script>

#Key Rotation

If you need to rotate your private signing key, follow this process to rotate your JWT signing keys without service interruption:

#Rotation Process

Generate new key pair: Create a new RSA key pair using the same process as Step 1
Submit public key: Send the new public key to your Sportradar representative
Wait for confirmation: Sportradar will add the new key to your configuration and notify you
Transition period: Both old and new keys will work simultaneously
Update backend: Switch your backend to use the new private key for signing
Notify completion: Inform Sportradar when migration is complete
Old key disabled: Sportradar will remove the old public key from the configuration

#Prerequisites

Before starting this tutorial, ensure you have:

OpenSSL toolkit installed for generating RSA keys
Backend development environment (Node.js, Python, Java, or similar) capable of signing JWT tokens
JWT library for your backend language (e.g., jsonwebtoken for Node.js)
Access to your Sportradar account representative to submit your public key
Product-specific credentials if implementing Virtual Stadium or Bet Concierge:
- Virtual Stadium API key (provided during onboarding)
- Bet Concierge brand ID (provided during onboarding)

#Implementation Steps

The following diagram illustrates the JWT authentication flow:

#Step 1: Generate RSA Key Pair

Generate a pair of RSA keys using the OpenSSL toolkit:

# Generate private key (2048-bit RSA)
openssl genrsa -out rsa-private.pem 2048

# Extract public key from private key
openssl rsa -in rsa-private.pem -pubout -outform PEM -out rsa-public.pem

This creates two files:

rsa-private.pem - Keep this secure on your backend server
rsa-public.pem - Send this to Sportradar

warning

Next action: Send the rsa-public.pem file to your Sportradar sales or client setup representative. They will configure the system to validate tokens signed with your private key.

#Step 2: Create JWT Tokens for Users

Every logged-in user requires their own unique JWT. You have two implementation options:

Generate on-demand: Create a new token for each page request
Cache with TTL: Generate once and cache on your backend until near expiration

#Required Base Claims

All JWT tokens must include these standard claims:

javascript

{
    sub: '<id>',
    scope: 'av' | 'vs' | 'sb' | 'av vs sb',
    iat: 1681718850
}

Claim Descriptions:

Claim	Type	Description	Example
`sub`	string	Unique end-user identifier. Use your system's user ID or a salted hash if you prefer not to expose actual IDs.	`'user_12345'` or `'a3f5b2c8d1e4'`
`scope`	string	Space-separated permissions for this user. Controls access to specific features. `av` - Enables audio/video stream access in Live Match Tracker. `vs` - Virtual Stadium access. `sb` - Bet Concierge access	`'av vs'` for LMT audio/video and Virtual Stadium (space-separated)
`iat`	number	Token issued-at timestamp in seconds since Unix epoch (UTC). Default validity: 16 hours.	`1681718850`

tip

The iat claim is typically added automatically by JWT libraries. You can also add an exp (expiration) claim to set a shorter validity period than the default 16 hours.

#Additional Claims for Virtual Stadium

If implementing Virtual Stadium (scope vs), include these additional claims:

javascript

{
    // Base claims (sub, scope, iat)
    apiKey: '<key>',
    userId: '<id>',
    displayName: '<userName>',
    userType: 'Normal' | 'VIP'
}

Claim	Type	Description	Example
`apiKey`	string	Your Virtual Stadium API key (provided during onboarding)	`'vs_api_key_abc123'`
`userId`	string	Unique identifier for the user in Virtual Stadium	`'user_12345'`
`displayName`	string	Public name shown to other users in the Virtual Stadium interface	`'JohnDoe'` or `'Player123'`
`userType`	string	User access level: `'Normal'` or `'VIP'`. VIP users have highlighted chat messages.	`'VIP'`

#Additional Claims for Bet Concierge

If implementing Bet Concierge (scope sb), include these additional claims:

javascript

{
    // Base claims (sub, scope, iat)
    // ... plus:
    sbBrandId: '<id>',
    sbUserType: '<type>'
}

Claim	Type	Description	Example
`sbBrandId`	string	Your brand identifier (provided during onboarding)	`'brand_xyz789'`
`sbUserType`	string	Access level or category for the user in the bet concierge system. Can be any string value agreed upon with Sportradar during your client setup. This value is used for rate limiting and must be registered with your client setup configuration before issuing JWTs with it. Can be left empty if only a single user type is expected (e.g., in a development environment).	`'premium'` or `'standard'`

#Step 3: Sign the Token

Sign the JWT using your private key from Step 1. The signing algorithm must be RS256 (RSA Signature with SHA-256).

#Node.js Example

javascript

import jwt from "jsonwebtoken";

// Create token with base claims
const token = jwt.sign(
  {
    sub: "user_12345",
    scope: "av vs", // Audio/video + Virtual Stadium
    // iat is added automatically
  },
  process.env.PRIVATE_SIGNING_KEY,
  { algorithm: "RS256" },
);

#Example With Virtual Stadium Claims

javascript

const vsToken = jwt.sign(
  {
    sub: "user_12345",
    scope: "vs",
    apiKey: process.env.VS_API_KEY,
    userId: "user_12345",
    displayName: "John Doe",
    userType: "Normal",
  },
  process.env.PRIVATE_SIGNING_KEY,
  { algorithm: "RS256" },
);

#Step 4: Pass JWT to Widgets

Deliver the signed JWT from your backend to your frontend application, then pass it to the widget during initialization.

Pass the JWT as a property when adding the widget using SIR:

javascript

SIR("addWidget", "#my-widget", "widget_name_here", {
  jwt: generatedJwtToken,
  // ... other widget properties
});

#Complete Frontend Example

html

<div id="lmt-widget"></div>

<script>
  // Assume 'userJWT' is passed from your backend
  const userJWT = "{{ jwt_from_backend }}";

  // Initialize Live Match Tracker with JWT for audio/video
  SIR("addWidget", "#lmt-widget", "sr-widgets-lmt", {
    matchId: "sr:match:12345",
    jwt: userJWT,
    // ... other configuration
  });
</script>

#Key Rotation

If you need to rotate your private signing key, follow this process to rotate your JWT signing keys without service interruption:

#Rotation Process

Generate new key pair: Create a new RSA key pair using the same process as Step 1
Submit public key: Send the new public key to your Sportradar representative
Wait for confirmation: Sportradar will add the new key to your configuration and notify you
Transition period: Both old and new keys will work simultaneously
Update backend: Switch your backend to use the new private key for signing
Notify completion: Inform Sportradar when migration is complete
Old key disabled: Sportradar will remove the old public key from the configuration

#Prerequisites

#Implementation Steps

#Step 1: Generate RSA Key Pair

#Step 2: Create JWT Tokens for Users

#Required Base Claims

#Additional Claims for Virtual Stadium

#Additional Claims for Bet Concierge

#Step 3: Sign the Token

#Node.js Example

#Example With Virtual Stadium Claims

#Step 4: Pass JWT to Widgets

#Widget Integration

#Complete Frontend Example

#Key Rotation

#Rotation Process

JSON Web Token (JWT)

#Prerequisites

#Implementation Steps

#Step 1: Generate RSA Key Pair

#Step 2: Create JWT Tokens for Users

#Required Base Claims

#Additional Claims for Virtual Stadium

#Additional Claims for Bet Concierge

#Step 3: Sign the Token

#Node.js Example

#Example With Virtual Stadium Claims

#Step 4: Pass JWT to Widgets

#Widget Integration

#Complete Frontend Example

#Key Rotation

#Rotation Process