How It Works


Generate an RSA key pair

openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:2048
openssl rsa -pubout -in private_key.pem -out public_key.pem

Store your private key securely. You will need it to sign access tokens later.


Setup your account

Log in to, and update the public key field in your account settings.


Generate access tokens

Create an endpoint within your backend system designed to generate and provide access tokens for your frontend application.

  import jwt from 'jsonwebtoken';

  function generateToken(): string {
    return jwt.sign(
      RSA_PRIVATE_KEY,          // The private key generated in Step 1.
        algorithm: 'RS256',
        expiresIn: '1h',        // Rye's policy restricts TTL durations to a maximum of one hour.
        audience: JWT_AUDIENCE, // for production, for staging.
        issuer: JWT_ISSUER,     // Your unique issuer value can be found in the Rye console under the Account tab. Note this value is unique per environment (staging vs production)

Use the access token

Include the access token within the Authorization header for any requests made to the Rye API.

  const response = await
      headers: {
        'Authorization': `Bearer ${JWT_TOKEN}`,
        'Content-Type': 'application/json',

When utilizing JWT authentication, there’s no need to include the Rye-Shopper-IP header in your requests, as Rye will automatically use the client’s IP address.