Skip to main content

Verify Tokens

Paid Feature

This is a paid feature.

You can click on the Enable Paid Features button on our dashboard, and follow the steps from there on. Once enabled, this feature is free on the provided development environment.

There are two ways with which you can verify an OAuth2 Access Token:

  • By using a standard JWT, JSON Web Token, verification library
  • By calling the special introspection endpoint that we expose through the core service

We will explain when you should use each method in the sections below.

One thing to note is that, besides the standard OAuth2 token claims, our implementation includes an additional one called stt. This stands for SuperTokens Token Type. It is used to make sure that the validation is performed for the correct token type:

  • 0 represents a SuperTokens Session Access Token
  • 1 represents an OAuth2 Access Token
  • 2 represents an OAuth2 ID Token.
info

The following guide covers only OAuth2 Tokens verification. For information on how to verify Supertokens Session Tokens please refer to the following section.

Validation Method

Using a generic JWT verification library

This is the standard validation method and should be used for most of the operations that need to be protected. It will tell you that the token is valid from a cryptographic standpoint and that it has not expired.

The code samples show you a basic validation scenario where we check if the token has the required scope in order for an action to be performed.

info

If your scenario involves a common backend with multiple frontend clients you can drop the client_id check.

App Info

Adjust these values based on the application that you are trying to configure. To learn more about what each field means check the references page.
This is the URL of your app's API server.
This is the URL of your app's API server.
SuperTokens will expose it's APIs scoped by this base API path.
This is the URL of your website.
The path where the login UI will be rendered

For NodeJS you can use jose to verify the token.

import jose from "jose";

const JWKS = jose.createRemoteJWKSet(new URL('<YOUR_API_DOMAIN>/authjwt/jwks.json'))

// Follow this example if you are using the Authorization Code Flow
async function validateToken(jwt: string) {
const requiredScope = "<YOUR_REQUIRED_SCOPE>";
const clientId = '<CLIENT_ID>';

try {
const { payload } = await jose.jwtVerify(jwt, JWKS, {
requiredClaims: ['stt', 'scp', 'client_id'],
});

if(payload.stt !== 1) return false;
if(payload.client_id !== clientId) return false;

const scopes = payload.scp as string[];
return scopes.includes(requiredScope);
} catch (err) {
return false;
}
}

Email Verification

If you are using email and password based authentication, and you want to validate if the user has verified their email, you will have to check if the email_verified claim is true.

Calling the Token Introspection API

When a user logs out, their token will be removed from the SuperTokens Core database. That change will not reflect in token validation process that uses a JWT verification library. The token will stil be valid until its expiration time.

In order to completely make sure that the token has not been removed you can directly call the SuperTokens Core service. We recommend that you perform this process for high security operations, in order to avoid the risk of a token being used by a malicious agent.

Here is an example of how you can use this validation method:

By Directly Calling the Introspection Endpoint

# The response status should be 200
# and the body should have an "active" property set to true
curl -X POST \
-H "Content-Type: application/json" \
-d '{"token": "<YOUR_TOKEN>"}' \
"<YOUR_API_DOMAIN>/auth/oauth/introspect"

By Using the SDK Method

If you are using a NodeJS backend you can directly call the SDK.

import OAuth2Provider from "supertokens-node/recipe/oauth2provider";

async function validateToken(token: string) {
const { status } = await OAuth2Provider.validateOAuth2AccessToken(
token,
{
clientId: "<CLIENT_ID>",
scopes: ["<REQUIRED_SCOPE>"],
},
true
);

return status === "OK";
}