Locksmith
Auth in an afternoon. Locksmith is a JWT authentication API for end-user apps.
Use the API section for every endpoint, SDKs for language clients, and Frameworks for the Next.js integration (cookie BFF, React UI components).
How it works
- Create a project in the dashboard — you get two API keys: one for Production (
lsm_live_…) and one for Sandbox (lsm_sbx_…). - Call the REST API from your backend using the appropriate key. The environment is inferred from the key prefix — you never pass it separately.
- Issue RS256 JWTs to your end users. Verify them locally with your project's public key (no Locksmith call needed on every request).
Never expose your API key
Use lsm_live_ / lsm_sbx_ keys only on your server. Browser code should call your backend or a cookie-based BFF (see the Next.js framework guide).
Quick links
| API reference | All endpoints with live try-it |
| TypeScript SDK | @getlocksmith/sdk |
| Next.js framework | @getlocksmith/nextjs — BFF, middleware, UI forms |
| Authentication guide | JWT, environments, refresh flow |
| Webhooks guide | Event payloads, HMAC verification |