How to secure staffMemberId in session?

I want to identify the actual user operating the POS on my app’s backend (in our case, the person clocking in a staff member for a shift).
• The user in the session token is the person who logged into the POS.
• The session.staffMemberId represents the actual operator.

The issue is that I can’t guarantee the session.staffMemberId hasn’t been tampered with in the request to the backend.

What do you suggest?
Would it be possible to include the session information (such as staffMemberId) inside the signed session token?

1 Like

When the user opens the website tile, the session token received from AppBridge includes the pinned staff member as expected. Can we match this behavior in the UI Extension?