post
https://{organization}.my.pitcher.com/api/v1/wopi/files//token
Mints a small, short-lived token for use as the WOPI access_token query
parameter when launching Office Online. The user's regular Auth0 JWT can
exceed Office Online's URL length limit (~2 KB) once the embedded
instances roles claim grows large, causing the editor to fail before
ever reaching this backend.
Security model:
- Signed with a WOPI-specific HMAC key (
get_wopi_token_key) that is
cryptographically separate from the impersonation key. A bug in either
flow cannot be used to forge tokens for the other. - Carries
iss: WOPI_TOKEN_ISSUERandaud: WOPI_TOKEN_AUDIENCE, both
enforced bypitcher.simplejwt.verify_token. The audience check
prevents a future signing-key reuse from being exploitable across
token types. - Carries
scope: "wopi"soJWTAuthenticationrejects it on any
non-WOPI endpoint (defense against the token being lifted from Office
Online's URL/logs and used as a general-purpose API key). - Carries
file_idso the WOPI views reject it on any other file
(defense against cross-file replay).
Recent Requests
Log in to see full request history
| Time | Status | User Agent | |
|---|---|---|---|
Retrieving recent requests… | |||
Loading…
No response body