ONLYOFFICE Docs 9.3 released: enhanced PDF Editor and more signature options, multipage view for documents, Solver in sheets, GIF playback in presentation slideshow mode, AI-powered updates, and more
ONLYOFFICE Docs 9.3 released

Configuring JWT for ONLYOFFICE Docs

To protect documents from unauthorized access, ONLYOFFICE editors use the JSON Web Token (JWT). The token is added in the configuration when the Document Editor is initialized and during the exchange of commands between internal ONLYOFFICE Docs services. The secret key is used to sign the JSON web token and validate the token upon the request to ONLYOFFICE Docs.

Starting from ONLYOFFICE Docs v.7.2, JWT is enabled by default and the secret key is generated automatically. You can always change the parameters to the ones you require. When upgrading from an earlier version, any manually configured secret keys will be preserved.

To protect your documents, specify your own secret key in the ONLYOFFICE Docs configuration file, then specify the same secret key in the connector settings. If you are using a version earlier than 7.2, you will also need to enable token validation.

For Linux/Windows: Configure ONLYOFFICE Docs
  1. Open the local.json file with any available text editor.
    • For Linux — /etc/onlyoffice/documentserver/local.json
    • For Windows — %ProgramFiles%\ONLYOFFICE\DocumentServer\config\local.json
  2. If you are using a version earlier than 7.2, enable token validation by changing the false value to true in three sections:
    • services.CoAuthoring.token.enable.browser
    • services.CoAuthoring.token.enable.request.inbox
    • services.CoAuthoring.token.enable.request.outbox
  3. Specify your own secret key by replacing the secret value with your own text string in three sections. The secret key must be identical across all three sections.
    • services.CoAuthoring.secret.inbox.string
    • services.CoAuthoring.secret.outbox.string
    • services.CoAuthoring.secret.session.string
    {
  "services": {
    "CoAuthoring": {
      "token": {
        "enable": {
          "request": {
            "inbox": true,
            "outbox": true
          },
          "browser": true
        }
      },
      "secret": {
        "inbox": {
          "string": "<your_secret_key>"
        },
        "outbox": {
          "string": "<your_secret_key>"
        },
        "session": {
          "string": "<your_secret_key>"
        }
      }
    }
  }
}
  4. Save your changes.
  5. Restart the services for the config changes to take effect: 
    systemctl restart ds-converter ds-docservice ds-metrics
For Docker: Use environment variables

For Docker deployments, use environment variables in the docker run command instead of editing local.json directly.

Warning If you change the automatically generated secret key or disable JWT manually in /etc/onlyoffice/documentserver/local.json, JWT will be enabled again and the secret key will be re-generated during server restart. Always use environment variables to configure JWT in Docker deployments.

To apply new environment variables, you must recreate the container. Stop and remove the existing container, then run a new one with the updated parameters:

sudo docker stop documentserver
sudo docker rm documentserver
sudo docker run -i -t -d -p 80:80 \
  -e JWT_ENABLED=true \
  -e JWT_SECRET=<your_secret_key> \
  onlyoffice/documentserver

To disable JWT, use -e JWT_ENABLED=false instead.

Article with the tag:
Browse all tags