--- sidebar_position: 8 --- # User tokens A plugin can utilize user tokens to authenticate the currently logged in user against a third-party API. To begin the authentication process, developers need to register their application with Future Ordering. Below are the steps to authenticate the current user against a third-party API: 1. Retrieve a user token using the desired scope. In production scenarios, the custom application scope which is provided when registering your backend API with Future Ordering should be used. For authentication purposes and in development, using the `openid` scope is a good way to get started. 2. Include the token in the `Authorization` HTTP header (using the Bearer scheme) when sending requests to the custom API 3. Validate the token for authentication and authorization in the custom API - see [Validating Access Tokens](../exposing-custom-api/validating-access-tokens.md) :::note Avoid depending on the source of the HTTP request being the device itself. In the future, requests with Authorization headers containing Future Ordering access tokens might be intercepted and proxied, changing the source of the request. ::: ## Example plugin utilizing user tokens The following example plugin gets a list of messages for the currently logged in user. ```javascript export default async context => { const myApiBaseUrl = 'https://...'; const token = await tokenService.getUserImpersonationToken('openid'); const res = await fetch(`${myApiBaseUrl}/messages/new`, { method: 'GET', headers: { Authorization: `Bearer ${token}`, }, }); if (!res.ok) throw new Error(`Error fetching messages`); const messages = await res.json(); // display messages // ... }; ``` ## Example token data - `sub` - user ID - `tenant` - tenant ID ```json { "nbf": 1710509368, "exp": 1710511168, "iss": "https://order.futureburger.com", "client_id": "foweb", "sub": "81183934-5aa8-434d-be60-31374d21c853", "auth_time": 1710509368, "idp": "local", "tenant": "futureburger", "jti": "AAF951A7B8327681F5A8C6B6525ECC4C", "iat": 1710509368, "scope": [ "openid" ], "amr": [ "urn:ietf:params:oauth:grant-type:token-exchange" ] } ```