You do not need to manage the VUT directly in most cases. Vybe handles token minting, injection, and validation automatically. This page is for advanced users who need to understand the authentication flow for custom server-side logic.
How it works
The VUT is part of every authenticated request to a deployed app:User visits a deployed app
The user navigates to
<app-slug>-<org-slug>.vybe.build and is authenticated through Vybe’s session system.Vybe mints a VUT
The Vybe middleware creates a new VUT for this request. The token contains claims that identify the user, the app, and the token’s validity window.
Token is injected as a header
The VUT is added to the request as the
x-vybe-user-token header before the request is forwarded to your app.Your app forwards the VUT
When your app makes API calls to Vybe services (fetching integration data, running data queries, etc.), it includes the VUT in the request headers. This tells Vybe which user is making the request.
Token details
| Property | Value |
|---|---|
| Format | Standard JWT (RFC 7519) |
| Algorithm | ED25519 (EdDSA) |
| Lifetime | 13 minutes |
| Delivery | x-vybe-user-token request header |
Why ED25519
Vybe uses ED25519 (Edwards-curve Digital Signature Algorithm) for signing tokens. Compared to RSA or HMAC-based JWT signatures, ED25519 offers:- Faster signing and verification — important for low-latency request handling
- Smaller signatures — 64 bytes vs. 256+ bytes for RSA, reducing header size
- Strong security — 128-bit security level, equivalent to RSA-3072
Token claims
The VUT contains the following standard JWT claims:| Claim | Name | Description |
|---|---|---|
sub | Subject | The user’s unique ID |
aud | Audience | The app’s unique ID — ensures the token is only valid for the intended app |
iat | Issued At | Unix timestamp of when the token was minted |
exp | Expiration | Unix timestamp of when the token expires (13 minutes after issuance) |
iss | Issuer | Identifies Vybe as the token issuer |
Two-factor API authentication
Vybe uses two credentials together to authenticate API calls from your app:| Credential | Identifies | Scope |
|---|---|---|
VYBE_SERVER_SECRET | The app | App-level resources |
x-vybe-user-token (VUT) | The user | User-level resources |
When you need both
App-level resources require only the server secret. These are resources that belong to the app itself, not to any specific user:- Shared integration connections
- Organization-wide data queries
- App configuration
- Personal integration accounts (a user’s own Slack connection)
- User-specific data
- Actions performed on behalf of a user
Example: API call with both credentials
Key rotation
Vybe uses a blue/green key rotation strategy to rotate signing keys without downtime.How it works
- Two key slots — Vybe maintains two signing key slots (blue and green). Both are always active for token validation.
- One active for minting — At any given time, only one slot is used to sign new tokens. For example, the blue key signs all new VUTs.
- Rotation — When it is time to rotate, Vybe switches minting to the green key. New tokens are signed with the green key.
- Graceful expiry — Tokens signed with the old blue key remain valid until they expire (up to 13 minutes). Both keys are accepted for validation during this window.
- Cleanup — After all old tokens have expired, the blue key slot is replaced with a fresh key, ready for the next rotation.
Why this matters
- Zero downtime — Key rotation never invalidates active tokens. Users experience no interruption.
- No coordination required — Your app does not need to do anything during a rotation. Vybe handles validation of both old and new keys automatically.
- Short exposure window — Because tokens live for only 13 minutes, the overlap window during rotation is brief.
Token lifecycle
Here is the complete lifecycle of a VUT from creation to expiration:Frequently asked questions
Can I decode the VUT in my app?
Can I decode the VUT in my app?
Yes. The VUT is a standard JWT, so you can decode it using any JWT library. However, you should not validate it yourself — let Vybe handle validation when you pass it in API calls. Decoding the token can be useful for reading the
sub claim (user ID) without making an API call.What happens if the VUT expires during a long-running request?
What happens if the VUT expires during a long-running request?
The VUT is validated when your app makes an API call to Vybe, not when the original request was received. If a VUT expires mid-request, the API call will return a 401 error. For long-running operations, make your Vybe API calls as early as possible in the request lifecycle.
Can I use the VUT to call third-party APIs directly?
Can I use the VUT to call third-party APIs directly?
No. The VUT is only valid for Vybe APIs. Third-party services will not recognize or accept it. To call third-party APIs, use the credentials provided through the Vybe integration system.
Is the VUT stored anywhere?
Is the VUT stored anywhere?
No. The VUT is generated per-request, injected as a header, and discarded after the response. It is not stored in cookies, local storage, or any database.
Security context
The VUT is part of Vybe’s defense-in-depth approach to API authentication:- Security middleware validates the session and mints the VUT before the request reaches your app — this middleware is hand-written infrastructure code, never AI-generated
- Server secret authenticates the app itself, ensuring requests come from legitimate Vybe applications
- VUT authenticates the user, enabling user-scoped data access and audit trails
- Short lifetime (13 minutes) limits exposure if a token is somehow intercepted
- Audience binding prevents a token minted for one app from being used against another
What’s next
- Learn how secrets and credentials are stored: Secrets & Encryption
- Understand the full authentication flow: App Authentication
- Review the security architecture: Security Overview