Integrate THRON on an external channel: developer guide
Server-side implementation of an asset showcase on a website, portal, or application: JWT authentication, content retrieval, filters, and playback via Player.
What you need before you begin
Make sure you have all the credentials before starting. Some are provided by the THRON team, others you obtain from the Content Manager who manages the platform.
App's JWT credentials |
|
Dedicated user username |
|
THRON Subdomain |
The subdomain of your THRON access (e.g. |
Folder pKey |
Generated by the Custom Application in the platform by the Content Manager |
How to request the user from the Content Manager
To access the contents of a folder via API, THRON verifies that the user you are operating with has rights on that folder. You cannot use only the app credentials: you need a real THRON user to impersonate in the calls — this is the mechanism called User Impersonation.
Ask the Content Manager to:
Create a THRON user dedicated to the integration (e.g.
api-websiteorintegration-[project-name])Assign them read rights on the folder you want to expose
Send you the username — you don't need the password
## Additional articles
- Configure Users and GroupsAttention: client_id and client_secret belong to the JWT external app — an application separate from the Custom Application used for the pKey. Store them always server-side; never expose them to the browser or frontend.
Authentication
THRON uses OAuth 2.0 with JWT tokens. To access specific contents and folders — which verify access permissions via ACL — User Impersonation is required: the system authenticates with the app credentials but operates with the rights of the dedicated user who has access to the folder.
Recommended flow: User Impersonation
Use this flow whenever you need to access specific contents or folders.
POST /api/v1/authentication/oauth2/token HTTP/1.1
Host: {tenantId}.thron.com
Content-Type: application/x-www-form-urlencoded
grant_type=urn:thron:oauth:user-impersonation
&scope=
&client_id={client_id}
&client_secret={client_secret}
&subject={username}
In response you receive access_token (JWT) and refresh_token. The token lasts 8 hours (expires_in: 28800).
Alternative flow: Client Credentials
Use this flow only for operations that do not require access to specific contents or folders. Without User Impersonation, the token has no ACLs on folders and does not return contents.
POST /api/v1/authentication/oauth2/token HTTP/1.1
Host: {tenantId}.thron.com
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials
&scope=
&client_id={client_id}
&client_secret={client_secret}
Renew the token
When the access token expires (response 403 Session Expired), use the refresh token to obtain a new one without repeating the full authentication.
POST /api/v1/authentication/oauth2/token HTTP/1.1
Host: {tenantId}.thron.com
Content-Type: application/x-www-form-urlencoded
grant_type=refresh_token
&refresh_token={refresh_token}
&client_id={client_id}
In response you receive a new access_token and a new refresh_token. The previous one is no longer valid.
Implement refresh in advance of expiration — do not wait for the 403.
## Additional articles
- THRON API DocumentationJWT and XTokenID: when to use which
The new THRON APIs use JWT in the Authorization header:
Authorization: Bearer {access_token}
Some legacy APIs still require the XTokenID token in the X-TokenID header. To obtain it from the JWT:
GET /api/v1/authentication/token/legacy HTTP/1.1
Host: {tenantId}.thron.com
Authorization: Bearer {access_token}
Response:
{ "token": "e1aff403-6583-40f1-961c-f91458aa2112" }
Use the returned value by adding the X-TokenID: {token} header to the calls that require it.
## Additional articles
- THRON API DocumentationAsset search and filters
To retrieve assets from the folder, use the search APIs documented in the official portal. The calls must be executed with the token obtained through User Impersonation: only then does the system return the contents to which the impersonated user has access.
If a filter attribute is configured in the platform (select or multiselect), the typical flow is:
Retrieve the available values of the attribute → use them to build the filters in the interface
Execute the asset search applying the value selected by the user
Always retrieve filter values via API — do not hardcode them in the frontend. In this way, filters update automatically when the Content Manager modifies the values in the platform.
## Additional articles
- THRON API DocumentationAsset playback
You have two options to display an asset on the external channel.
THRON Player (recommended)
Use the folder's pKey as the sessId parameter in the embed script and the content ID as the xcontentId parameter. The Player automatically manages formats, responsiveness, accessibility, and style updates.
Browser native player
Use the direct URL of the file returned by the API. Suitable if you have full control over the interface and do not need the features of the THRON Player.
## Additional articles
- THRON Player: new versionRecommended configuration
Standard preset
Authentication flow |
User Impersonation — required to access folders and contents |
Credentials storage |
Server-side, never exposed to the browser or frontend |
Token management |
Implement automatic refresh before expiration |
Playback |
THRON Player with pKey, unless completely custom UI is required |
Filter values |
Always retrieve them from the API — do not hardcode them in the frontend |
Need help?
For technical issues, write to support@thron.com.