Ryan Stuhl

I believe I have solved my issue which I reported earlier. I'm updating this thread in hopes that someone else with the same error can benefit from what I discovered. 

There were a couple of small nuances in the ruby code which were not demonstrated in the Zendesk Code Examples.

iat = DateTime.now.to_i
exp = (DateTime.now + 6.minutes).to_i
shared_secret = "#{ENV.fetch('ZENDESK_CHAT_SHARED_SECRET','')}"

token = JWT.encode({
   :name => "#{current_user.name}",
   :email => "#{current_user.email}",
   :iat => iat,
   :exp => exp,
   :external_id => "#{current_user.id}"
}, shared_secret, 'HS256')

render json: token

Nuance #1: The ruby code example doesn't show the exp attribute in the JWT encode function although their documentation does say you need it in the section above the code examples. 

Nuance #1: I am not entirely certain this is necessary, but it can't hurt. The :external_id value needs to be a string.

Nuance #3: The code examples don't state that you need to define the algorithm. You will probably cobble together from other comments and posts that you need to define the type and algorithm in the JWT headers, but this is not demonstrated. If you review the readme documentation for the JWT gem, you will see how to correctly pass the algorithm header. https://github.com/jwt/ruby-jwt

Nuance #4: You have to specifically render the value in the response as a json string. This is necessary not only for the javascript function to read it properly, but also for your unit tests ;). No need to render back as a key value pair though, just send the encoded token value back. 

Once I updated my JWT generator code with these nuances, the 400 error went away. I hope this helps someone looking for help getting past the 400 error. 

PS: if you want to see my javascript to fetch the jwt token value, see my previous comment in this thread.

Hi, I'm a little late to the party, but I'm running into a similar issue. First off I want to point out that about halfway through this thread, the answers start pointing to using JWT for SSO and not for chat authenticate. For example the first answer to the OP says to remove the jti param from the payload, but the articles linked in this thread are for SSO and definitively show that you need to have a jti param in the payload making this really confusing to follow along with. 

I have followed the instructions on this guide: Enabling authenticated visitors in Web Widget (Classic) https://support.zendesk.com/hc/en-us/articles/4408838925082.

When my web widget loads on the screen I am getting this 400 error: "Zendesk Chat Web SDK: Error: init: Failed to verify token: jwt verification error"

But if I take the resultant JWT to an online JWT debugger it says the signature is verified.

My secret is not base64 encoded. I am using the ruby-jwt gem as outlined in the Zendesk documentation linked above. The gem is required via rails, and thus is not explicitly required in my snippet below.

My Ruby code:

def zendesk_jwt_endpoint
   # This is and endpoint to call from the javascript portion to support JWT tokens in zendesk
   payload = {
      :name => "#{current_user.name.present? ? current_user.name : current_user.assumed_name_from_email}",
      :email => "#{current_user.email}",
      :iat => DateTime.now.to_i,
      :exp => (DateTime.now + 6.minutes).to_i,
      :external_id => current_user.id
   }
   # this syntax below is directly from the documentation in the ruby-jwt
   # gem for JWT.encode.
   token = JWT.encode payload, "#{ENV.fetch('ZENDESK_SHARED_SECRET','')}", 'HS256', {"typ": "JWT", "alg": 'HS256'}
   render json: {jwt:token}
end

webWidget: {
  authenticate: {
    chat: {
      jwtFn: function(callback) {
        fetch('/zendesk_jwt_endpoint').then(function(res) {
          res.text().then(function(jwt) {
            callback(jwt);
          });
        });
      }
    }
  }
}