Security

ONLYOFFICE Docs uses token-based validation to ensure that requests between services have not been tampered with. Every request — whether it comes from the document editor initializing with a config, or passes between the document storage service and the document editing service, document command service, document conversion service, or document builder service — can carry a cryptographic token that the receiving side verifies before acting on the request.

Tokens are generated using the JSON Web Token (JWT) standard and signed with a secret key shared between the integrator's server and ONLYOFFICE Docs. When a token is present, ONLYOFFICE Docs validates it and uses the data from the token payload instead of the corresponding request parameters. If the token is missing or invalid, the request is rejected.

See the Signature section for setup instructions and code examples.

caution

Local links (URLs pointing to private or internal addresses) always require a token. Include a token when using local links in the following methods: insertImage, setHistoryData, setMailMergeRecipients, setReferenceData, setReferenceSource, setRequestedDocument, setRequestedSpreadsheet, setRevisedFile. A token is also required when specifying a local URL for opening or conversion.