Skip to main content

Verify JWTs

Method 1) Using JWKS endpoint#

a) Get JWKS endpoint#

Refer to this page to get the JWKS endpoint for your backend

b) Verify the JWT#

Some libraries let you provide a JWKS endpoint to verify a JWT. For example for NodeJS you can use jsonwebtoken and jwks-rsa together to achieve this.

import JsonWebToken, { JwtHeader, SigningKeyCallback } from 'jsonwebtoken';import jwksClient from 'jwks-rsa';
var client = jwksClient({  jwksUri: '{apiDomain}/{apiBasePath}/jwt/jwks.json'});
function getKey(header: JwtHeader, callback: SigningKeyCallback) {  client.getSigningKey(header.kid, function (err, key) {    var signingKey = key!.getPublicKey();    callback(err, signingKey);  });}
let jwt = "...";JsonWebToken.verify(jwt, getKey, {}, function (err, decoded) {  let decodedJWT = decoded;  // Use JWT});

For other languages, jwt.io recommends some libraries that you can use for JWT verification

Method 2) Using public key string#

a) Getting a certificate string#

Refer to this to know how to retrieve a key string to use

b) Verify the JWT#

Some libraries/services let you configure a secret that can be used for JWT verification. Using the same example as above you can use a key when using jsonwebtoken.

import JsonWebToken from 'jsonwebtoken';
// Truncated for displaylet certificate = "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhki...\n-----END PUBLIC KEY-----";let jwt = "...";JsonWebToken.verify(jwt, certificate, function (err, decoded) {    let decodedJWT = decoded;    // Use JWT});

For other languages, jwt.io recommends some libraries that you can use for JWT verification