Skip to main content

Secure token

Participation flow

With this technique, the participant must start the campaign being identified on your side. This part is out of Qualifio responsibility.

  • After the connection/identification, your application/resource creates a message (secure token) that will allow you to secure the payload (information) shared with Qualifio as well as certifying the message has been emitted by the right person when received by Qualifio (meaning you).

    • To enhance the information exchange, this message (JWT) can be encrypted (JWE)
  • This token must be added to Qualifio campaign URL or JS tag or minisite script, when integrating it to make it available for participants

  • Thanks to its integration, Qualifio campaign is loaded with the secure token

  • The participant can play the campaign and Qualifio can perform two technical checks regarding the token (at the campaign loading).

    • The expiration check to verify the token received is still valid

    • The second check is focused on the token signature. To allow Qualifio to assess the token is emitted by the expected person, Qualifio offers different techniques

      • Check based on private/public key pair provided by you
      • Check based on a symmetric key shared between you & Qualifio
      • Check based on a call to a JWKS endpoint provided by you
  • When the participant reaches the form step, Qualifio will use the token received, to prefill the identification form with participant’s data

    • If you choose not to send the participant data in the JWT, Qualifio will call the API with the access token (authorization) received and will request the participant's information in this call.
    • If you choose to send the participant data within the token, Qualifio won’t perform this additional call and will use them to prefill the form directly
  • The data received will allow Qualifio to prefill the identification form and the participant will be able to pursue his/her journey.

Process flow

Secure token - process flow

What are the requirements to set it up?

You need to be able to share with Qualifio a valid secure token coming with the campaign URL/tag. In order to allow the technical checks linked to the token, you have to provide more information than the classical token’s header and content:

  • Define token signature approach: To provide to Qualifio the chosen token validation method amongst the list of available ones:
    • JWKS Endpoint: You will need to add the kid field in the header of each JWS you generate.
    • Public key
    • Symmetric key
  • Decide if you want to encrypt the token. Two possibilities are available here:
    • Encryption is managed on your side. Qualifio receives the token encrypted directly and decrypt it thanks to a Encryption Secret Key provided by you
    • Encryption is managed on the Qualifio side based on our encryption API (Crypto API). You will send the signed token to an Authorization API to generate the bearer token before calling the Crypto API and receiving back the token encrypted


  • This method to exchange participants’ data works when you know your audience and you can associate one unique ID to a participant, coming from one of your tools in the back-end. E.g. : if your game is published in an app, if your game is sent to customers already in your database with an associated unique ID, if your game is published on a page accessible only to a certain type of customers,… This solution is also used when participants have a unique ID on your side, even without any access to a personal space.
    • This method doesn’t answer lead generation campaign use cases
  • On top of the participant identification itself, you can use this method to apply custom participation limitations to your games. You have the possibility to add this information within the payload. The logic linked to the participation limitation will be managed on your side and shared with Qualifio via the token. Based on the information, Qualifio will allow the participant to play or present a screen explaining he/she doesn’t match the conditions to enter the game

Additional resources