The service token is a simple JWT token that can easily be created by using service and stage name, as well as the secret. You can create the token yourself and attach it. Take a look at the actual code the prisma CLI is using:
getToken(serviceName: string, stageName: string): string | undefined {
if (this.secrets) {
const data = {
data: {
service: `${serviceName}@${stageName}`,
roles: ['admin'],
},
}
return jwt.sign(data, this.secrets[0], {
expiresIn: '7d',
})
}
return undefined
}
Source: https://github.com/prisma/prisma/blob/master/cli/packages/prisma-yml/src/PrismaDefinition.ts
More information regarding the structure:
Service tokens follow the JSON Web Token (JWT) specification (RFC 7519):
"JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted."
A JWT has the following three components:
Header: The header typically consists of two parts: the type of the token, which is JWT, and the hashing algorithm being used (which is HS256 in the case of Prisma service tokens).
{ "alg": "HS256", "typ": "JWT" }
Payload: The payload contains the claims. Claims are statements about an entity (typically, the user) and additional data. Here is what it looks like for a service called demo deployed to the dev stage:
{
"data": {
"service": "demo@dev",
"roles": ["admin"]
},
"iat": 1532530208,
"exp": 1533135008
}
Signature: The signature is used to verify the message wasn't changed along the way. To create the signature part you have to take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that. For example if you want to use the HMAC SHA256 algorithm, the signature will be created in the following way:
HMACSHA256(base64UrlEncode(header) + '.' + base64UrlEncode(payload), secret)
Therefore, a JWT typically looks like this: xxxxx.yyyyy.zzzzz
Source: https://www.prisma.io/docs/prisma-server/authentication-and-security-kke4/#service-token
Would you know how to specify the service-name and stage-name with prisma? Is this something to be done in
yml?The service and stage can be defined in your prisma endpoint environment variable, e.g.
PRISMA_ENDPOINT="http://localhost:4466/SERVICE/STAGE". See prisma.io/docs/understand-prisma/… in the section "Learn more about the endpoints of Prisma services".