> ## Documentation Index
> Fetch the complete documentation index at: https://docs.embedreach.com/llms.txt
> Use this file to discover all available pages before exploring further.
# Authentication
> Secure authentication for Reach
Reach uses JSON Web Tokens (JWT) for secure authentication. Each token links a user in your system to a user in Reach.
Please reach out to [support@embedreach.com](mailto:support@embedreach.com) to
get a Shared Secret for your platform in order to generate JWT tokens.
If your app enforces security headers like Content Security Policy (CSP) or Cross-Origin Opener Policy (COOP), see [Security Headers (CSP & COOP)](/embeddable-ui/security-headers) for required configurations.
## Tenant Scoped JWT Token Requirements
Your tenant-scoped JWT token must include the following fields:
| Field | Description | Required |
| ---------------- | --------------------------------------------------------------- | -------- |
| email | User's email address | Yes |
| name | User's display name | Yes |
| externalId | Your system's unique ID for this user | Yes |
| tenantExternalId | Your system's ID for the user's business | Yes |
| partnerId | Your unique vertical saas platform identifier provided by Reach | Yes |
| iat | Issued at time (in seconds since epoch) | Yes |
| exp | Expiration time (in seconds since epoch) | Yes |
Never expose your Shared Secret on the client side. JWT generation must always
be handled server-side.
## Token Lifecycle
We recommend tokens expire after 1 hour (3600 seconds). The
Reach SDK handles token expiration by calling your onReauthRequested callback when a
token expires.
For a full server side example of how to generate JWT Tokens that are
compatible with Reach please see the examples section
[here](/samples/jwt-tokens).