Secure your Endpoints with JWT Tools, JWK encryption and decryption , create PEM Files on the fly - Security Salamander

Hi forums,

I’m releasing another plugin soon, this time dubbed Security Salamander.

https __s3.amazonaws.com_appforest_uf_f1663436551713x796856683199994400_icons8-axolotl


I was building a Fintech app using Plaid Webhooks for one of my clients. One of the very first problems I came across was finding a way to secure my API endpoint to ensure that I am only accepting API Requests from Plaid, and no one else. Since my client is in the world of American politics, there are many bad actors - and so any risk (otherwise insignificant) can become a huge problem.


By far the most common way of securing API endpoints is by using JWT (JSON Web Tokens). In Bubble, there is no way to “work” with JWT, or JWK (JSON Web Keys) which are vital to any JWT integration. The problem is that there are several ways of using JWT, all requiring their own encryption algorithms. For instance, Plaid uses JWT with an encryption algorithm that is completely different from Stripe’s.


My plugin, Security Salamander, will be a bundle of very useful server side actions that will let you use (most) JSON Web Tokens integrations: secure your endpoints, use more complicated API services, such as Stripe’s Pin management (currently incompatible with the API connector).

This plugin will support the most common encryption algorithms for encryption and decrypting JWK, let you create PEM files on the fly and more general actions to perform very common tasks with JSON.

I’ll update this post when I am ready to release. If anyone has any questions, comments or suggestions let me know :slight_smile:


Bruh, wow! If you need a tester… Salut! haha Can’t wait to try this out with our xano backend.



This is what I have so far, all seem to be working. For anyone wondering, the fetch action lets you fetch a public key from a URL and convert it into JSON.

Any suggestions / ideas?


Hey everyone!

I’ve just sent the plugin for review by Bubble. It should be available soon!

In the meantime, check out this YouTube introduction I made.


Can’t wait to try this. Need to secure my Stripe webhooks and excited for this. Commenting here so I can get an update when it’s live.

1 Like

I’m glad you are excited. I’ll always be here for questions and feature improvements. Good luck!


While you are waiting for the plugin to release, you can check out this demo.

EDITOR: Plugin-testing-page | Bubble Editor


It’s out now!

1 Like

@Future @jacob.b.singer

It is available :smiley:

1 Like

ah yeah! will try asap. thanks jonah :slight_smile:

1 Like

Incredible! Will give it a go, are you still working on this?

1 Like

Yeah! I use this all the time in my projects personally, so updates will come out once in a blue moon. If every you need any new features let me know (or if you see any bugs!).


Already tested and decodes my JWT. SOOO glad I came across this. I am also building in Fintech so pretty sure have some more use in the future. Thanks for the shout :rocket:



I want to purchase this plugin but I can see very few installations and reviews.

Does this plugin still have support? Is still active?


What the installs and reviews have to do with anything? If it is going to take care of a problem you have, take the chance. Besides, Jonah is very active and still very involved.


No need to roast my plug-in sales now!

Yes this plug-in is supported still. It is an indispensable piece of some of my live apps. Also, you could have checked the release date :wink: it hasn’t even been out for 6 months!

1 Like

I knew I was going to come back to this plugin. I am looking to save an access token to the page briefly just to pare values without needing to use the database :innocent:

Ideally I’d create some sort of encryption of the token, and then decrypt later in the workflow. Any pointers? :bowing_man: Already tried creating a JWT and then decoding it but got lost in the technicalities

No rush on this at all. Just thought worth sharing. Still loving this plugin and using it all the time for oAuth2 decoding

1 Like

Thanks so much for the feedback :smiley:

I’m not sure I understand what you’re trying to achieve. Mind clarifying?

1 Like

Sure, happy to :raised_hands:. I am looking to save an access token from a token refresh as a custom state on bubble.
Reason being, This token is the basis for chatbot and needs to be used super quick. Saving it to the database and looking it up just takes up too much time.

Now, I got this already but would love to ecrypt the token to make this more secure. Was wondering if I could use your plugin since I am already using it for oAuth2 decoding, and I have seen you offer encoding and decoding. So ideally, I’d encode the access token, then save to page, then decode and use it.

Am I making a bit more sense? Appreciate you looking into this

The thing is you’ve got to understand the difference between encryption and encoding. Encrypting generally means that you’re making it in a way that no one including yourself can decrypt it in any “easy” way (because there is a thing called brute force and there’s secret key shenanigans you can do as well)

You might want to encode it, which basically means you are making it harder to read (for instance, base64 encoding) but this is just meant to make reading it a bit harder but its still not secure.

Basically, it’s hard to give you a straight answer because I don’t really know what you need it for and how you’ll use it. But I would say that in the case you want to encrypt it you can use SHA 256 encryption or HMAC (Already included in the plugin). If you want to encode it, maybe use base 64 encoding

1 Like