- On the callback screen on client1.com, the frontend can take the JWT from the query param and call an API on the backend. This API will verify the JWT using the JWKS endpoint exposed by the backend of auth.com (the api layer which is integrated with our backend sdk exposes a jwks.json endpoint).
- If the JWT is valid, you can get the sub claim from it and use our session recipe to create a new session in client1.com (using session.createNewSession function). This will log the user into client1.com.
- When the user clicks logout on client1.com, only their session on client1.com will get revoked and they will still be logged into auth.com. If you want to revoke the auth.com session as well, then you will need to query the supertokens core from backend of client1.com to revoke the session handle of auth.com. The session handle of auth.com can be added to the jwt token that’s created at auth.com, and then this session handle can be added to client1.com’s session as well.