Adding authentication

An out-of-the-box Formsort flow allows anyone to access it.

To restrict the responders who are allowed to complete your flows, it's possible to connect your identity provider, so that you can only permit authenticated users.

Today, we support , and plan to add other providers depending on demand.

Setting up Auth0 authentication

Authentication is configured on a flow-by-flow basis, like other integrations, and can be configured on a per- basis.

You should see that once an identity provider is configured, you will not be able to access variants within the flow, until you provide a valid ID token.

Passing an ID token to the flow

To identify the responder, you must pass a valid Auth0 ID token JSON Web Token (JWT) into the flow.

First, use the Auth0 client libraries to authenticate your responder within the page that is embedding the Formsort form.

Once your user is authenticated, you can initialize the Formsort embed, and pass an authentication object in your configuration, with the idToken containing the ID token JWT.

  authentication?: {
    idToken?: string; // ID Token for authenticated flows
  };

Behind the scenes

An authenticated flow will verify the ID token in the following places:

1. When uploading answers.

2. When downloading answers (for returning responders).

Dealing with authentication errors

The web embed will emit an unauthorized event whenever the embedded flow has an authentication requirement but the idToken is missing or is invalid.

It's important to handle this, since even correctly-formatted tokens are only valid for a limited period of time.

When you receive an unauthorized event, prompt the user to re-authenticate, and re-initialize the embed with the newly-generated ID token.

Authenticating API variable lookups

Formsort does, however, include credentials when making API requests from authenticated flow. This means that if you set cookies within the parent page, they will be included with API requests, which you can use to verify users.