Decode and verify the id_token

Alongside a code, you will also recieve an id_token. This is a signed JWT and can be verified locally:

backend/login.ts

import { verifyIdToken } from '@passlock/node/pricipal';

const tenancyId = "myTenancyId";
const apiKey = "myApiKey";

const { principal } = await verifyIdToken(idToken, { tenancyId });

Behind the scenes, verifyIdToken uses the jose library to decode and verify the JWT, before transforming it into a Principal.

Note

The first time you call verifyIdToken, the library will fetch the relevant signing key from our public JWKS endpoint. It will be cached for subsequent calls.

Manual verification

If you are unable (or unwilling) to use the Passlock server library, you can decode and verify the id_token yourself using your chosen JWT library.

JWKS

Our public keys are published in JWKS format at https://api.passlock.dev/.well-known/jwks.json

Algorithms

We are currently signing using RS256, however this is likely to change as we move to PS256, PS384 or PS512. Please see the list of JOSE supported algorithms.

Key rotation

We rotate JWS keys, so please dont assume the signing key will remain constant.