Authenticate Call to External Service

Feature(s) impacted

This is about authenticating calls from Smart Actions to an external service. I’m hoping to learn best-practices for making a secure call to our service’s main API.


Our application uses a highly-customized API with fine-grained controls over the state of each resource. Rather than duplicate the functionality for the admin actions allowed by the primary API into Forest, I’d like to use Forest Smart-Actions to collect the inputs and send those to our external API. Our API uses standard JWT auth.

Observed behavior

I can see the req.user object in my Smart Action. However, I’m of how to authorize that user to interact with my external API.

Expected behavior

I expect that I should write a JWT class/service that extracts some fields from the req.user object, creates a new short-lived JWT, and fires off the request to the other API before resolving. However, I’m not sure if that should be in each smart action, or if I can extend the permissionMiddlewareCreator.smartAction(), or if I should write my own middleware function that wraps all my external calls.


  • Project name: …tiller
  • Team name: …personal space
  • Environment name: …Development (FEAT/ACTIONS)
  • Agent type & version: …
  • Recent changes made on your end if any: …


  • I found documentation for relying on an external API call. However, I’m still unsure what the best practice would be for an API with JWT auth.
1 Like

Hi @jev :wave: welcome to our community.
Connecting another API with authentification is a big topic today.
The main question is how your target API authenticate the current (forest admin) user?
If you can create a short-lived signed JWT to call your API that’s ok. I suggest you to create a specific middleware who give you the token used for your next call instead of modifying permissionMiddleware.

Edit: if your API require cookies for authentification, I suggest you to have a look on this documentation.