Decode and verify the id_token

Alongside a code, you will also receive an id_token. This is a signed JWT and can be verified locally:

Default

import { verifyIdToken, isVerificationError } from '@passlock/server';

const tenancyId = "myTenancyId";

try {
  const result = await verifyIdToken({ token, tenancyId });
} catch (e) {
  if (isVerificationError(e)) {
    console.log("Invalid ID token");
  }
}

Safe

import { verifyIdToken, isPrincipal } from '@passlock/server/safe';

const tenancyId = "myTenancyId";

const result = await verifyIdToken({ token, tenancyId });

if (isPrincipal(result)) {
  console.log(result);
} else {
  console.error(result.message);
}

Behind the scenes, verifyIdToken uses the jose library to decode and verify the JWT, before transforming it into a Principal.

Note

The first time you call verifyIdToken, the library will fetch the relevant signing key from our public JWKS endpoint. It will be cached for subsequent calls.

Manual verification

If you are unable (or unwilling) to use the Passlock server library, you can decode and verify the id_token yourself using your chosen JWT library.

JWKS

Our public keys are published in JWKS format at https://api.passlock.dev/.well-known/jwks.json

Algorithms

We are currently signing using RS256, however this is likely to change as we move to PS256, PS384 or PS512. Please see the list of JOSE supported algorithms.

Key rotation

We rotate JWS keys, so please don’t assume the signing key will remain constant.