• r

    rp

    9 months ago
    great!
  • l

    legolas8911

    9 months ago
    hey! anyone can point me in the right direction regarding a supertokens JWT validation(or even decode)? I know I can just split the 3 parts and do a base64decode on the payload but I would try to avoid it, even though I am using the
    verifySession
    middleware one level higher. jwt.io correctly decodes everything but
    jsonwebtokens
    decode always returns null. I have enabled the JWT recipe so I have the jwk endpoint available but I don't know what to do with that data/if I need it. Thanks!
  • r

    rp

    9 months ago
    Hi @User if you are using
    verifySession
    , you don't need to verify the access token yourself manually.
  • r

    rp

    9 months ago
    May I ask your use case exactly? So I can point you to the right resource.
  • l

    legolas8911

    9 months ago
    @User I am doing that, but on a higher level. I have an GQL Federation server (which also exposes the supertokens apis, so I have access to
    verifySession
    ) but then I'm passing the JWT forward to the federated GQL servers and I would like to validate the token there as well for an added layer of security. Since it's a different lambda function I can't use
    verifySession
    . I thought maybe it's possible to decode/validate the JWT on the federated service by using the
    jwt/jwk.json
    GET request or something, but JWKs are a big unknown to me
  • r

    rp

    9 months ago
    Ahh I see. So the access token we issue isn't a JWT. It's a signed cookie, but not a JWT. So don't treat it as such
  • r

    rp

    9 months ago
    If you want a JWT, then you should use the feature we released today: https://supertokens.io/docs/thirdpartyemailpassword/common-customizations/sessions/with-jwt/enabling-jwts. With this, you can extract a JWT from the session and then verify that using any standard JWT verification method.
  • r

    rp

    9 months ago
    (you will need to upgrade the backend lib to the latest version though)
  • r

    rp

    9 months ago
    And, you don't need to initialise the JWT recipe, as when you pass
    enable: true,
    to the session recipe, it internally initialises the JWT recipe.
  • l

    legolas8911

    9 months ago
    heh, funny thing is that jwt.io is able to properly decode it and it doesn't complain. jsonwebtoken and jose all return null, that's what got me into this rabbit hole 😄