API JWT signing secret key

The secret key used to sign the JSON Web Token (JWT). Non-optional, make sure you use different values for different projects and keep it in a secret place

API JWT signing algorithm

The algorithm used to sign the JWT. Default is HS512. For more possible values refer to JWT web site: https://jwt.io/introduction.

API JWT authorization header

The name of the header storing the JWT. Default value is X-Authorization

API access time after login (seconds)

Time you can access the protected resources after login. Default value is 0. If you want delay access, you can change it to 10.

API expire time after login (seconds)

The JWT expiry time. Default value is 3600 (60 minutes). Users will need to authenticate again once the JWT expires.

API custom headers

If enabled, Access-Control-Allow-Origin, Access-Control-Allow-Headers and Access-Control-Allow-Methods will be issued by IIS/Apache. Default is false.

Notes

For Apache, the mod_headers must be enabled for this setting to work.
If disabled, the headers will be issued by CORS middleware.

API Access-Control-Allow-Origin

The Access-Control-Allow-Origin header. If unspecified, default value is "*" so the REST API can be accessed by external apps.

API Access-Control-Allow-Headers

The Access-Control-Allow-Headers header.

Note CORS-safelisted request headers are always allowed and hence usually aren't listed in Access-Control-Allow-Headers (unless there is a need to circumvent the safelist additional restrictions).