To protect documents from unauthorized access, ONLYOFFICE editors use the JSON Web Token (JWT). The token is added in the configuration when the Document Editor is initialized and during the exchange of commands between inner ONLYOFFICE Docs services. The secret key is used to sign the JSON web token and validate the token upon the request to ONLYOFFICE Docs.
Starting from ONLYOFFICE Docs v.7.2, JWT is enabled by default and the secret key is generated automatically. You can always change the parameters to the ones you require.
To protect your documents, you need to enable the token validation and specify your own secret key in the ONLYOFFICE Docs configuration file, then specify the same secret key in the connector settings.
For Linux/Windows: Configure ONLYOFFICE Docs
- Open the
local.json
file with any available text editor.
- For Linux -
/etc/onlyoffice/documentserver/local.json
- For Windows -
%ProgramFiles%\ONLYOFFICE\DocumentServer\config\local.json
- Enable token validation by changing the
false
value to true
in three sections:
services.CoAuthoring.token.enable.browser
services.CoAuthoring.token.enable.request.inbox
services.CoAuthoring.token.enable.request.outbox
- Specify your own secret key by replacing the secret value with your own text string in three sections. The secret key must be the same.
services.CoAuthoring.secret.inbox.string
services.CoAuthoring.secret.outbox.string
services.CoAuthoring.secret.session.string
{
"services": {
"CoAuthoring": {
"token": {
"enable": {
"request": {
"inbox": true,
"outbox": true
},
"browser": true
}
},
"secret": {
"inbox": {
"string": "yoursecret"
},
"outbox": {
"string": "yoursecret"
},
"session": {
"string": "yoursecret"
}
}
}
}
}
- Save your changes.
- Restart the services for the config changes to take effect.
systemctl restart ds-converter ds-docservice ds-example ds-metrics
For Docker: Use environment variables
If you change the automatically generated secret key or disable JWT manually in /etc/onlyoffice/documentserver/local.json
, JWT will be enabled again and the secret key will be re-generated during server restart.
To avoid this issue, use environment variables in the docker run
command.
To change the secret key, specify your own value in -e JWT_SECRET=my_jwt_secret
.
To disable JWT, use -e JWT_ENABLED=false
.