The following guide outlines how to create an endpoints on your authentication server to support JWT account login.

Sign users into the Privacy Center using JWTs.

We recommend setting up a redirect URL on your server that checks a user's authentication, then redirects the user to the Privacy Center with a JWT on the URL fragment.

If you haven't read about "identifiers" yet, we recommend reading this doc first.

Here's the flow:

  1. The end-user is sent to a route on your site, (for example, https://api.{{yourOrganizationDomain}}/privacy-center-redirect).
  2. Check their session:
    • If they are not logged in, redirect them to your login page, ideally in a way where they will return to this route after a successful login attempt.
    • If they are logged in, first generate a JWT on your backend containing information about their session:
const jwt = require('jsonwebtoken');
const token = jwt.sign(
* This can be the email (if globally unique) or the user ID of the
* data subject in your user table.
coreIdentifier: 'benfarrell',
* The main email address for the data subject.
* Used to query data and to communicate with the data subject.
email: '',
* Whether the email is already verified as belonging to the data subject.
* When set to false, Transcend will verify the email using a magic link,
* so long as Transcend email verification is turned on for your organization.
* Email verification can be configured on the Request Identifier Settings
* (
* If you want Transcend to always perform email verification as a second
* factor of auth, leave this as always false.
emailIsVerified: true, // defaults to false
* OPTIONAL - Additional identifiers that your server is attesting to.
* Each of these identifiers can be used to look up data in the data
* systems on your data-map. Setting this is similar to the Identity
* Enrichment step.
* It is extremely important that you have verified that these identifiers
* belong to the data subject with this coreIdentifier and email.
attestedExtraIdentifiers: {
custom: [{ name: 'deviceId', value: '123' }],
* OPTIONAL - Additional metadata about the data subject, to be displayed
* on the Privacy Center. Be sure to match these supported keys.
profile: {
nickname: 'Ben',
picture: '', // profile avatar
SIGNING_PRIVATE_KEY, // more on this in "Generate a keypair" below
algorithm: 'ES384', // required
expiresIn: 1000 * 60 * 15, // expires in 15 minutes
// You can find your Organization URI at
audience: yourOrganizationURI, // required
  1. Lastly, redirect (HTTP status code 302 or 303) the authenticated user to your Privacy Center at the /login route, and include the JWT after a # fragment:
https://privacy.{{yourOrganizationDomain}}/login#eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 ...

That way, users who are logged in and click on the privacy policy link will arrive in the Privacy Center with an already-authenticated session.

To protect your private key, the JWT has to be signed server-side, but the signed token can be sent to the frontend.

Transcend expects your JWT to be signed using the ES384 algorithm. A keypair can be generated using the following script.

openssl ecparam -name secp384r1 -genkey -noout -out "$PRIVATE_FILE"
openssl ec -in "$PRIVATE_FILE" -pubout -out "$PUBLIC_FILE"

You can set your public key in the Data Subject settings on the Admin Dashboard.