Documentation
API
Whitelabel
SSO

SSO

Login via SSO (Single Sign-On)

The SSO process enables seamless login of advertisers to the AdsHero panel directly from the shop’s platform, without the need to provide separate login credentials.

The advertiser’s account must already exist in the AdsHero system — it will be created during feed processing.

JWT Token

The JWT token must be signed using the HMAC-SHA256 (HS256) algorithm with a shared secret. The signing secret is provided by the AdsHero team.

Header:

{
  "alg": "HS256"
}

Payload — should contain the following fields:

{
  "sub": "string (email)",
  "iss": "string",
  "seller_ids": ["string"],
  "exp": 0
}

Token field descriptions:

  • sub — User’s email address. This will also be the login of the user created in the AdsHero system.
  • iss — Unique whitelabel identifier (UUID) assigned by AdsHero.
  • seller_ids — List of seller identifiers (external_seller_id from the feed) that the user has access to. Must contain the value passed in the sellerId parameter.
  • exp — Token expiration time (Unix timestamp). A token with an expired exp value will be rejected.
ℹ️
The AdsHero panel displays the first and last name of the logged-in user. Since the JWT token does not contain this data, during the user creation process, the part of the email address before the @ sign is used as the first name. The last name remains empty.

Authentication endpoint

The JWT token generated by the shop is sent to AdsHero at the following endpoint:

GET https://api.adshero.io/v1/auth/sso?token={tokenJWT}&sellerId={sellerId} HTTP/2
curl --location --request GET \
    'https://api.adshero.io/v1/auth/sso?token={tokenJWT}&sellerId={sellerId}'

Query parameter descriptions:

  • token — JWT token in standard format (header.payload.signature).
  • sellerId — ID of the currently selected seller (external_seller_id from the feed).