Decode and verify the id_token

Following a successful registration or authentication operation, your frontend will receive a code. This can be exchanged for a Principal, representing the outcome of the operation:

frontend/authenticate.ts

import { Passlock } from '@passlock/browser';

const passlock = new Passlock({ tenancyId });

const result = await passlock.authenticatePasskey({
  authenticationToken
});

if (result.success) {
  // send this to your backend
  console.log(result.value.id_token);
}

backend/authenticate.ts

import { Passlock } from '@passlock/server';

const passlock = new Passlock({ tenancyId, apiKey });

const result = await passlock.verifyIdToken({ id_token });

if (result.success) {
  // will be a Principal
  console.log(result.value);
}

Behind the scenes, verifyIdToken uses the jose library to decode and verify the JWT, before transforming it into a Principal.

Note

The first time you call verifyIdToken, the library will fetch the relevant signing key from our public JWKS endpoint. It will be cached for subsequent calls.

Use your own JWT library

If you are unable to use the Passlock server library, you can decode and verify the id_token yourself using your chosen JWT library.

JWKS

Our public keys are published in JWKS format at:
https://api.passlock.dev/.well-known/jwks.json

Algorithms

We are currently signing using RS256, however this is likely to change as we move to PS256, PS384 or PS512. Please see the list of JOSE supported algorithms.

Key rotation

We rotate JWS keys. Don’t assume the signing key will remain constant.