Using JWT with of-v — Hidden in Backend (HTTP)

Keep your JWT on the server. The browser never sees it. Use a backend proxy for HTTP calls.

What is JWT?

JWT is a signed access token. It’s encoded, not encrypted. To hide it, store it only on your backend and never embed it in HTML/JS.

Pattern

  1. Frontend → your server: call /api/pay.
  2. Your server → OF-V: attach Authorization: Bearer <SERVER_JWT> (server-only), and forward the request to /jwt/v1/pay.

Frontend: Create order via your backend

// FRONTEND — create order (no JWT exposed)
const paymentData = {
  sw_add: "0xabc123...",      // Sender ETH Wallet Address
  ag_id: "user@example.com",  // Your user ID/email in OF-V
  c_od: "Subscription July",
  am_t_v: 8.00
};

fetch("/api/pay", {
  method: "POST",
  headers: { "Content-Type": "application/json" },
  body: JSON.stringify(paymentData),
  credentials: "include" // if you use a session cookie
})
  .then(r => r.json())
  .then(res => {
    if (res.order_id && res.icode) {
      window.location.href = `/o?io=${res.order_id}&ic=${res.icode}`;
    } else {
      alert(res.error || "Unexpected response.");
    }
  })
  .catch(err => alert("Request failed: " + err.message));

Server: Environment (.env)

# Your server
PORT=8080

# Server→OF-V (keep this secret — DO NOT expose to browser)
OFV_CLIENT_JWT=<server-only JWT from OF-V>
OFV_HTTP_BASE=https://of-v.com:99

Server: HTTP proxy — hide JWT for /pay

// server.js (HTTP proxy) — keep JWT on server
import "dotenv/config";
import express from "express";
import helmet from "helmet";
import morgan from "morgan";
import axios from "axios";
import Joi from "joi";

const app = express();
app.use(helmet());
app.use(express.json());
app.use(morgan("tiny"));

const OFV_HTTP_BASE = process.env.OFV_HTTP_BASE;
const SERVER_JWT = process.env.OFV_CLIENT_JWT;

// Validate incoming payload (mirror OF-V)
const paySchema = Joi.object({
  sw_add: Joi.string().pattern(/^0x[a-fA-F0-9]{40}$/).required(),
  ag_id: Joi.string().email().required(),
  c_od: Joi.string().max(128).required(),
  am_t_v: Joi.number().positive().precision(2).required()
});

// Browser → Your Server → OF-V
app.post("/api/pay", async (req, res) => {
  const { error, value } = paySchema.validate(req.body);
  if (error) return res.status(400).json({ error: "invalid payload", details: error.details.map(d => d.message) });

  try {
    const { data } = await axios.post(`${OFV_HTTP_BASE}/jwt/v1/pay`, value, {
      headers: { Authorization: `Bearer ${SERVER_JWT}` },
      timeout: 15000
    });
    res.json(data);
  } catch (err) {
    if (err.response) {
      res.status(err.response.status).json(err.response.data);
    } else {
      res.status(502).json({ error: "upstream unavailable", details: err.message });
    }
  }
});

const port = Number(process.env.PORT || 8080);
app.get("/healthz", (_req, res) => res.json({ ok: true }));
app.listen(port, () => console.log("Backend running on :" + port));

Verify Success

{
  "message": "Order created successfully.",
  "order_id": "abc123",
  "status": "Deposit Pending",
  "icode": "b500c10c005dd4e99064337cc7027..."
}

Security notes

  • Never embed JWTs in HTML/JS; store in server env/secret manager.
  • Rate-limit /api/pay, add user auth, and log order_id (avoid logging full tokens).
  • Use HTTPS end-to-end.

Related guides

of-v@of-v.com

in fb twitter instragram
Support

© 2025 Yuka.Nikin Coding Studio

Made with   by Yuka.Nikin