search

Protect your API

hashtag
Validate the API request's authorization tokenarrow-up-right

Auth issues a standard JWTarrow-up-right format authorization token for each authorized API request. The token is encrypted and signed as a JWSarrow-up-right token.

hashtag
Understanding JWS tokenarrow-up-right

An encoded JWSarrow-up-right token is constructed with three parts:

  • JOSE Header: Declares the code type and encoding algorithm

  • JWS Payload: Includes all the token's claims

  • JWS Signature: Signature signed with JWKarrow-up-right

A standard schema of auth issued JWS Payload: (claims may vary, based on your custom OIDC config)

Key

Description

jti

unique JWT ID

sub

subject, usually user-id

iat

timestamp token issues at

exp

timestamp token expires at

client_id

client id

iss

token issuer identity

aud

audience of the token

circle-info

INFO

For development, to visually inspect a JWT token, you could visit jwt.ioarrow-up-right to decode and check the tokens you received. Be careful with or never use the tokens from a production environment. As this is a third party provided public online service, your token may be exposed.

hashtag
Validate the authorization tokenarrow-up-right

  1. Validating a JWT.arrow-up-right

  2. Validating the JWS signature.arrow-up-right

  3. The token's issuer is https://<your-auth-domain> (issued by your Auth server).

  4. The token is within its expiration time.

There are various open-source libraries and packages that can help you to validate and decode a JWT token easily. You may pick one and integrate with your backend application based on the language and framework you are using. Please check some of the examples we have:

Reference

Auth uses the code-based OAuth 2.0 Authorization Protocol to make your API request safer. If you are interested in the strategy behind it, refer to OAuth 2.0's official documentarrow-up-right for more details.

PreviousConfiguring the SSO (Single Sign On):NextProtect your API on Node(Express)

Last updated