How can I ensure that the token field I configured is used by OnlyOffice and forwarded without being modified?

hanxin · 26 March 2026 00:41

    const config = {
      documentType: documentType,
      document: {
        title: this.fileName,
        url: this.fileUrl,
        fileType: ext,
        key:this.uuidv4(),
        permissions: {
          edit: false,
          download: false,
          print: false
        }
      },
      // info: {
      //   custom: {
      //     authToken: getToken(),              
      //   }
      // },
    }

My URL is used to call my backend API. I have confirmed that everything works normally if I disable the token authentication mechanism. However, my backend requires token authentication. I tried passing the token as a URL parameter and also adding the token field in the OnlyOffice editor config, but OnlyOffice encrypts my original token value before forwarding it. How can I make OnlyOffice forward it without encrypting it? Is there a specific config field for this, or do I need to modify the OnlyOffice server configuration? Thank you.

Nurullo · 30 March 2026 10:35

Hi @hanxin,

ONLYOFFICE isn’t encrypting your token. Here’s what’s actually happening:

When you open the editor, DS takes your entire config (including document.url) and wraps it in its own JWT signature for security. But your token inside the URL is passed through as-is when DS fetches the file.

So your backend should still be receiving your token in the query string. If it’s rejecting the request, something else is likely causing it.

Can you first try this sample URL in place of yours to confirm your setup is working?
https://static.onlyoffice.com/assets/docs/samples/demo.docx

If that works but your URL doesn’t, the issue is with your backend configuration, not ONLYOFFICE.