Hi supertokens teams I'd like to know if it is possible to verify the signature of an access token o...

samuelqosenergy

01/20/2023, 12:32 PM

Hi supertokens teams I'd like to know if it is possible to verify the signature of an access token on client side (it's a main app server) ? I've retrieved the jwks, the access token but I cannot match both.

rp_st

01/20/2023, 12:35 PM

hey @samuelqosenergy

rp_st

01/20/2023, 12:36 PM

you should use our backend SDK's verifySession function to verify the access token

samuelqosenergy

01/20/2023, 12:38 PM

Hello Yes, I saw that but I'd like to do it outside the backend in order not to call the api too frequently

rp_st

01/20/2023, 12:40 PM

verifySession is stateless

rp_st

01/20/2023, 12:40 PM

so it doesn't call the API

rp_st

01/20/2023, 12:42 PM

anyway, if you want to use a JWT lib, you should not use the sAccessToken cookie directly for JWT verification, but instead extract the JWT from the session on the frontend (See our docs for how to do that), and then send the JWT as an authorization bearer token to the backend and pass that into the JWT verification lib. That should work

samuelqosenergy

01/23/2023, 10:34 AM

ok, we found a solution using this feature : https://supertokens.com/docs/passwordless/common-customizations/sessions/with-jwt/enabling-jwts#enable-jwt-feature a jwt is automatically added to the access token payload and the signature of this sub-token can be checked using the jwks so the content of this sub-token can be used by any client using an external session not sure its the best way to proceed but it works

rp_st

01/23/2023, 10:35 AM

yea. this is fine!

Previous Next

SuperTokens.com

SuperTokens is an open source authentication solution offering features like: Different types of login: Email / password, Passwordless (OTP or Magic link based).