How to secure staffMemberId in session?

nirtayeb · July 6, 2025, 7:49am

I want to identify the actual user operating the POS on my app’s backend (in our case, the person clocking in a staff member for a shift).
• The user in the session token is the person who logged into the POS.
• The session.staffMemberId represents the actual operator.

The issue is that I can’t guarantee the session.staffMemberId hasn’t been tampered with in the request to the backend.

What do you suggest?
Would it be possible to include the session information (such as staffMemberId) inside the signed session token?

nirtayeb · July 23, 2025, 7:24am

When the user opens the website tile, the session token received from AppBridge includes the pinned staff member as expected. Can we match this behavior in the UI Extension?

Topic		Replies	Views
SessionToken showing as null Extensions pos-extensions	8	165	June 5, 2025
Get staff role id from cart in pos? Extensions pos-extensions	2	19	May 6, 2025
[Bug]: POS Extension Session Token Bug Extensions pos-extensions	8	219	June 4, 2025
User related data from admin request App Bridge app-bridge	20	126	July 24, 2025
Pos extension authentication and session token issue Authentication & Access oauth	1	11	June 13, 2025

How to secure staffMemberId in session?

Related topics