Skip to content

Custom Identity Provider (IdP)


The KeepManagementURL setting in your notes.ini is the URL needed for the Domino REST API Domino task to talk to the Java side of Domino REST API. By default, this is set to http. If you have updated your security to https, you must update this URL. For more information, see Domino REST API task.

Domino REST API requires an access token in JWT (RFC 7519) format. As long as Domino REST API trusts the signature of the presented token, it does not matter how the token was obtained.


Check carefully which systems you trust to provide identity. They hold the key to data access.

When none of the existing IdP solutions fit your needs, you can use a custom provider that generates your JWT token. Just make sure, such code isn't accessible for abuse as unauthorized impersonation.

Sample function

This function turns a given user name and scope into a signed JWT token.

const template = require('./template.json');
const jwt = require('jsonwebtoken');
const fs = require('fs');
const privateKey = fs.readFileSync('private.key');

const signOptions = {
  algorithm: 'RS256',
  expiresIn: `${template.expSeconds}s`,
  mutatePayload: true

const renderJwt = (sub, scope) => {
  const claim = { sub, scope, ...template };
  const bearer = jwt.sign(claim, privateKey, signOptions);
  return { bearer: bearer, ...claim };

module.export = { renderJwt };

Error handling omitted for clarity.

The template

  "iss": "Joe and the wailors",
  "aud": "Domino",
  "expSeconds": 3000


This the relevant part of the package.json.

"dependencies": {
    "jsonwebtoken": "^8.5.1"

Keys you need

You need to generate a public/private key pair.

ssh-keygen -t rsa -b 4096 -m PEM -f private.key
openssl rsa -in private.key -pubout -outform PEM -out