Redirecting to the Subscription Portal

What do I need to send?

  1. a JWT payload with a short expiry containing the parent's timeback id

    • Note that it is crucial to include state information in the parent's metadata in one-roster in the following format :

    • "metadata": {
            "address": {
                "state": "Texas"
            }
}

  2. your provider id

How to generate the JWT ?

The payload should include:

  • parentTimebackId : The Timeback ID of the parent.

  • A short expiration time (exp)

  • An issued-at timestamp (iat)

Sign the JWT using your EDUPAID_JWT_SECRET (provided by Edupaid), using the HS256 algorithm.

Example payload:

{
  "parentTimebackId": "parent-123"
}

TypeScript example using jose:

import { SignJWT } from 'jose';

const secret = process.env.EDUPAID_JWT_SECRET;
if (!secret) {
  console.error('EDUPAID_JWT_SECRET is not set in environment variables.');
  return NextResponse.json(
    { error: 'Internal server error: Missing secret' },
    { status: 500 }
  );
}

const secretKey = new TextEncoder().encode(secret);
const expirationTime = Math.floor(Date.now() / 1000) + 60 * 60; // 1 hour

const token = await new SignJWT({ parentTimebackId: parentTimebackId })
  .setProtectedHeader({ alg: 'HS256' })
  .setExpirationTime(expirationTime)
  .setIssuedAt()
  .sign(secretKey);

Where do I send the user?

Redirect the user to:

https://students.edupaid.2hourlearning.com/subscription-portal?token=YOUR_TOKEN_HERE&providerId=YOUR_PROVIDER_ID

Replace:

  • YOUR_TOKEN_HERE with the JWT.

  • YOUR_PROVIDER_ID with your provider ID.

Security Guidelines

  • Use HTTPS for all sensitive data transfers.

  • Short-lived tokens: 20-30 minutes is ideal.

  • Never expose EDUPAID_JWT_SECRET to frontend clients.

  • Token generation must be done on a backend you control.

  • Validate all inputs before creating the token.

PreviousApp Subscription PortalNextFAQ

Last updated