JIT Approvals

JIT approvals are used to grant elevated privileges to your users for your applications. This process requires an administrators approval that when approved will provide access to the user in real time. There are a number of use cases in which JIT Approvals provide solutions to solve problems. This document will outline each of the JIT Approval types available to you and will define how to create, use, and manage Next Level3’s JIT Approvals within your Company Portal.

Accessing JIT Approvals

Requirements: Admin Level Next Level3 Company Account Access.

Login to company.nextlevel3.com and navigate to “Management” -> “JIT Approvals”.

JIT Approval Creation

JIT Approval Types

Currently, there are two approval types support by the Next Level3 Cloud Identity JIT Access platform including;

  • Approve - JIT access approval request that when triggered requires the default approver to approve the request that they received.

  • Sign and Approve - JIT access approval request that when triggered required the default approver to sign the request with their signature and then approve the request that is sent.

Generating an Authentication Token

An authentication token is a method used to verify user identity. Once the token has been verified, the user receives an Access Token which grants the user access to a service that it has been issued for and will work until the token becomes invalid. Next Level3 JIT Approval Authentication uses this process to grant elevated privileges to your users for your applications and supports protecting your applications by integrating Cloud Identity JIT Approvals directly to your applications. Generating the Authentication token required to make calls for your applications depends on the language your application uses. To integrate Next Level3 JIT Approvals into your application using authentication token generation, refer to the corresponding native language your application uses from the list below.

The Next Level3 Node.js integration is designed to be used for your existing applications or sites that are using native Node.js code for authentication. This integration will allow you to easily generate client specific authentication tokens for JIT Approval access to any application that leverages Node.js.


  • Node.js Application
  • Next Level3 Company Account
  • Signing Key created for an application in the Next Level3 Company Portal

The following Node.js code sample can be used to integrate an authentication token generator into your existing authentication flow for custom Node.js applications that are handling JIT Access calls within the application or where a third-party identity provider does not have a supported integration:

const nJwt = require('njwt');
var claims = {
  iss: process.env.APP_URI, //URI or FQDN of the site enabled for protection (e.g., FQDN of the site in company.nextlevel3.com for which the SIGNING_KEY is valid)
  aud: process.env.API_HOST, //URI of NL3 API
  sub: process.env.USERNAME //Username for application integrated with NL3 (i.e., one being checked for lock status)
let decodedDomainToken = Buffer.from(process.env.SIGNING_KEY, 'base64'); //SIGNING_KEY is the symmetric key retrieved from company.nextlevel3.com associated with the enabled site
var jwt = nJwt.create(claims, decodedDomainToken);
jwt.setExpiration(new Date().getTime() + (60*5*1000)); //5 minute expiration to allow for SignUp
jwt.setNotBefore(new Date().getTime() - (60*1*1000)); //Valid from 1 minute ago to account for minor time diffs
jwt.setClaim('otherClaim', claimValue); //Add any custom claims needed for approvals
var authToken = jwt.compact();