Rimo SSO API
Single sign-on token generation for seamless checkout between Loop Health (my.loop.health) and Loop Bio Labs (loopbiolabs.com).
Overview
When a Loop Health member navigates to purchase products on Loop Bio Labs, an SSO token is generated that carries their identity and membership discount tier. This avoids requiring users to log in separately on the e-commerce site.
Flow
1. User clicks "Buy" on my.loop.health
2. Frontend calls POST /api/sso/generate
3. Server verifies Clerk session, generates JWT
4. JWT contains: userId, membership_tier, discount_percent
5. User redirected to loopbiolabs.com?sso_token=<jwt>
6. Loop Bio Labs validates JWT and applies discountGenerate SSO Token
curl -X POST "https://my.loop.health/api/sso/generate" \
-H "Authorization: Bearer $CLERK_JWT" \
-H "Content-Type: application/json"Authentication: Clerk session required.
Rate Limit: 10 requests per minute per user.
Response
{
"ssoToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"expiresAt": "2024-06-15T12:05:00Z",
"checkoutUrl": "https://loopbiolabs.com/checkout?sso_token=eyJ..."
}JWT Payload
{
"sub": "user_clerk_123",
"membership_tier": "pro",
"discount_percent": 15,
"iss": "loop-health",
"aud": "loop-bio-labs",
"exp": 1718451900,
"iat": 1718451600,
"jti": "unique-token-id"
}Security
| Feature | Details |
|---|---|
| Algorithm | HS256 |
| TTL | 5 minutes |
| Single-use | JTI-based replay prevention |
| Rate limit | 10 per minute per user |
| Secret | SSO_JWT_SECRET shared between apps |
Token Validation (Loop Bio Labs side)
- Verify JWT signature using shared
SSO_JWT_SECRET - Check
issis"loop-health"andaudis"loop-bio-labs" - Verify
exphas not passed - Check JTI has not been used before
- Extract
membership_tieranddiscount_percent - Apply discount to checkout
Membership Tiers
| Tier | Discount |
|---|---|
free | 0% |
pro | 15% |
elite | 25% |
Environment Variables
SSO_JWT_SECRET=your-shared-secret-between-appsBoth my.loop.health and loopbiolabs.com must have the same SSO_JWT_SECRET.