To prevent an unauthorized access to your documents and the substitution of important parameters in ONLYOFFICE Document Server requests, it uses a JSON Web Token (JWT) compatible tokens to ensure security. The tokens are signed by the server key, so the client is able to verify that the token is legitimate.
The token is added in the configuration when initializing Document Server and during the exchange of commands between document storage service and document editing service, document command service and document conversion service.
Document Server validates the token. If it is valid, the data from the payload is used instead of the corresponding data from the main parameters. If the token is invalid, the command is not executed and no parameters are used or changed.
The token can be sent both in the request header or body.