I don’t think you have read the docs and don’t understand what the JWT is for.
- An extension loads
- An extension calls onAuthorised with a JWT.
- You can parse (without validation) that JWT extension side to look for the “real” TwitchID, if your extension asks users to share their TwitchID. If your extension doesn’t ask a user to share their ID then you’ll only have the opaqueID.
You can send that JWT to your EBS, in order to test that JWT for it being valid or not against your Secret and then parse our the data, again, for the opaqueID and/or the realTwitchID.
You could pass that JWT via the websocket auth as you describe, but it depends if you need to pass the JWT out if you need the TwitchID of the user or not.
Basically JWT’s safely inject the TwitchID into an extension from Twitch itself.
Twitch Extension into EBS, you can do whatever you want to secure that connection depending on the needs and work flow of your extension.
I run four twitch extensions at time of writing, the three panel extensions all (in this case HTTP POST) the JWT offsite to fetch and return user information from my EBS, (ChannelCurrency, Giveaway status etc).
TLDR:
- the JWT is just a verifiable string that contains the TwitchID of the user (if you have enabled TwitchID sharing in your extension and the user has shared their TwitchID).
- If you want to use the JWT as part of your websocket handshake sure, do you need or are required to no.