How to validate Authress JWT access tokens

(For information about OAuth, check out the OAuth FAQ)

Background

Authress generates unique EdDSA JWT signed access tokens. These tokens are signed using an asymmetric key algorithm. The public keys for your account are located at:

https://YourCustomDomain/.well-known/openid-configuration/jwks

In the case that you haven’t set up your custom domain yet, the keys are also located at:

https://YourAccountAccountId.login.authress.io/.well-known/openid-configuration/jwks

You can get your accountId by visiting the Authress API in the management portal.

Key lifetime

The Authress public key can and should be cached to avoid unnecessary lookups. However, it is important to not cache indefinitely. In rare events the key will rotate. It may be rotated through a security generated event in Authress or through the management portal. Given this possibly, it is important to be prepared to handle key rotation and expiry.

Additionally, it is the case that your Authress account can and will have multiple active keys at the same time. While not all of these keys will be relevant to signing access tokens, handling for multiple keys is required.

Verification

Getting the public key is only the first step. The next part is converting the key from the JWK format to the PEM format to be used for token verification. Most of the Authress SDK’s contain a TokenVerifier to enable easy access to verifying Authress tokens. The use of the SDK is not required, however recommended. A list of SDKS is available in the Authress API Portal.

(If you don’t see the one you want, please reach out to our development team).