Hi supertokens teams
I'd like to know if it is pos...
# support-questions-legacys
samuelqosenergy
01/20/2023, 12:32 PMHi supertokens teams
I'd like to know if it is possible to verify the signature of an access token on client side (it's a main app server) ?
I've retrieved the jwks, the access token but I cannot match both.
r
rp_st
01/20/2023, 12:35 PMhey @samuelqosenergy
rp_st
01/20/2023, 12:36 PMyou should use our backend SDK's verifySession function to verify the access token
s
samuelqosenergy
01/20/2023, 12:38 PMHello
Yes, I saw that but I'd like to do it outside the backend in order not to call the api too frequently
r
rp_st
01/20/2023, 12:40 PMverifySession is stateless
rp_st
01/20/2023, 12:40 PMso it doesn't call the API
rp_st
01/20/2023, 12:42 PManyway, if you want to use a JWT lib, you should not use the sAccessToken cookie directly for JWT verification, but instead extract the JWT from the session on the frontend (See our docs for how to do that), and then send the JWT as an authorization bearer token to the backend and pass that into the JWT verification lib. That should work
s
samuelqosenergy
01/23/2023, 10:34 AMok, we found a solution
using this feature : https://supertokens.com/docs/passwordless/common-customizations/sessions/with-jwt/enabling-jwts#enable-jwt-feature
a jwt is automatically added to the access token payload and the signature of this sub-token can be checked using the jwks
so the content of this sub-token can be used by any client using an external session
not sure its the best way to proceed but it works
r
rp_st
01/23/2023, 10:35 AMyea. this is fine!