Implementation:OpenHands OpenHands SaaSServerConfig
| Knowledge Sources | |
|---|---|
| Domains | Server_Architecture, SaaS_Infrastructure |
| Last Updated | 2026-02-11 21:00 GMT |
Overview
Concrete tool for centralizing JWT authentication settings, feature flags, and provider credentials into a validated configuration object, provided by the OpenHands enterprise server layer.
Description
The SaaSServerConfig class extends ServerConfig to provide SaaS-specific configuration management. It reads environment variables for JWT secrets, GitHub App credentials, billing provider keys, and feature flags during initialization. The verify_config method validates that all required settings are present and consistent, raising errors at startup if critical values are missing. The get_config method returns a dictionary representation suitable for serialization. The _get_app_slug method resolves the GitHub App slug from the API. The module also provides standalone utility functions: sign_token creates JWT tokens from payload dictionaries, and verify_signature validates webhook payloads against cryptographic signatures to ensure they originate from trusted sources.
Usage
Use this configuration class when initializing the SaaS server to establish authentication parameters and feature flags. Instantiate SaaSServerConfig early in the server bootstrap process and pass it to components that require authentication settings, billing configuration, or provider credentials. Use sign_token when creating session tokens and verify_signature when processing incoming webhooks.
Code Reference
Source Location
- Repository: OpenHands
- File: enterprise/server/config.py:L63-194
- Also: enterprise/server/config.py:L39-42 (sign_token), L45-60 (verify_signature)
Signature
class SaaSServerConfig(ServerConfig):
def __init__(self) -> None:
...
def get_config(self) -> dict:
...
def verify_config(self) -> None:
...
def _get_app_slug(self) -> str:
...
# Standalone utility functions
def sign_token(payload: dict, jwt_secret: str, algorithm: str = 'HS256') -> str:
...
def verify_signature(payload: bytes, signature: str) -> bool:
...
Import
from enterprise.server.config import SaaSServerConfig, sign_token, verify_signature
I/O Contract
Inputs
| Name | Type | Required | Description |
|---|---|---|---|
| payload | dict | Yes | Dictionary of claims to encode in the JWT token (for sign_token) |
| jwt_secret | str | Yes | Secret key used for signing and verifying JWT tokens |
| algorithm | str | No | JWT signing algorithm, defaults to 'HS256' |
| payload | bytes | Yes | Raw request body bytes to verify (for verify_signature) |
| signature | str | Yes | Cryptographic signature string from the webhook header |
Outputs
| Name | Type | Description |
|---|---|---|
| config | SaaSServerConfig | Fully initialized and validated configuration object |
| token | str | Signed JWT token string (from sign_token) |
| is_valid | bool | Whether the webhook signature is valid (from verify_signature) |
| config_dict | dict | Dictionary representation of configuration (from get_config) |
Usage Examples
Basic Usage
from enterprise.server.config import SaaSServerConfig, sign_token, verify_signature
# Initialize and validate server configuration
config = SaaSServerConfig()
config.verify_config()
# Create a JWT token for a user session
token = sign_token(
payload={"user_id": "usr_123", "email": "user@example.com"},
jwt_secret=config.jwt_secret
)
# Verify an incoming webhook signature
is_valid = verify_signature(
payload=request_body,
signature=request.headers["X-Hub-Signature-256"]
)