Skip to main content

Getting public keys for JWT verification

1) Call the JWKS endpoint for SuperTokens Core#

SuperTokens uses RSA for signing JWTs, this means that in order to verify the JWT you need a public key. SuperTokens provides a JWKS endpoint that contains a set of public keys as Json Web Keys

You can make a GET request to the SuperTokens core on {connectionURI}/recipe/jwt/jwks:

  • If you are using our managed service use the connectionURI found on the supertokens.com dashboard
  • If you are using the self-hosted option, you can query any one of the SuperTokens core instances that you host
important

When calling {connectionURI}/recipe/jwt/jwks, if you get back a 401 response, it means that you have not supplied the right API key for the core. You can pass the API key using the api-key header in the request.

The response would be similar to: 

{    "keys": [        {            "kty": "RSA",            "kid": "2de612a5-a5ba-413e-9216-4c43e2e78c86",            "n": "AMZruthvYz7Ft-Dp0BC_...", // Truncated for display            "e": "AQAB",            "alg": "RS256",            "use": "sig"        }    ],    "status": "OK"}

The keys array in the response contains a list of Json Web Keys (JWK).

2) JWT verification using a key string#

A JWK can also be converted into a key string. Some libraries and services may require you to provide a key string during JWT verification.

For example, let's consider using NodeJS with jsonwebtoken. jsonwebtoken allows you to provide a certificate that will be used to verify JWTs, once you fetch a JWK to use (as explained above) you can then convert it to a key string by using a library or an online service (since this is a public key there is no risk in using an online service).

In this example we will use jwk-to-pem

import jwkToPem from 'jwk-to-pem';
// This JWK is copied from the result of the above SuperTokens core requestlet jwk = {    "kty": "RSA",    "kid": "2de612a5-a5ba-413e-9216-4c43e2e78c86",    "n": "AMZruthvYz7Ft-Dp0BC_SEEJaWK91s_YA-RR81iLJ6BTT6gJp0CcV4DfBynFU_59dRGOZyVQpAW6Drnc_6LyZpVWHROzqt-Fjh8TAqodayhPJVuZt25eQiYrqcaK_dnuHrm8qwUq-hko6q1o1o9NIIZWNfUBEVWmNhyAJFk5bi3pLwtKPYrUQzVLcTdDUe4SIltvvfpYHbVFnYtxkBVmqO68j7sI8ktmTXM_heals-W6WmozabDkC9_ITCeRat2f7A2l0t4QzO0ZCzZcJfhusF4X1niKgY6yYXpbX6is4HCfhYfdabcE52xYMNl-gw9XDjsIxfBMUDvOFRHWlx0rU8c=",    "e": "AQAB",    "alg": "RS256",    "use": "sig"};
let certString = jwkToPem(jwk);

The above snippet would generate the following certificate string:

-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxmu62G9jPsW34OnQEL9IQQlpYr3Wz9gD5FHzWIsnoFNPqAmnQJxXgN8HKcVT/n11EY5nJVCkBboOudz/ovJmlVYdE7Oq34WOHxMCqh1rKE8lW5m3bl5CJiupxor92e4eubyrBSr6GSjqrWjWj00ghlY19QERVaY2HIAkWTluLekvC0o9itRDNUtxN0NR7hIiW2+9+lgdtUWdi3GQFWao7ryPuwjyS2ZNcz+F5qWz5bpaajNpsOQL38hMJ5Fq3Z/sDaXS3hDM7RkLNlwl+G6wXhfWeIqBjrJheltfqKzgcJ+Fh91ptwTnbFgw2X6DD1cOOwjF8ExQO84VEdaXHStTxwIDAQAB-----END PUBLIC KEY-----

You can then use this when configuring jsonwebtoken

import JsonWebToken from 'jsonwebtoken';
// Truncated for displaylet certificate = "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhki...\n-----END PUBLIC KEY-----";let jwt = "...";JsonWebToken.verify(jwt, certificate, function (err, decoded) {    let decodedJWT = decoded;    // Use JWT});

For other languages, jwt.io recommends some libraries that you can use for JWT verification

caution

Make sure that you add line break characters to your string as shown above, certificate strings without the line breaks are considered invalid

Which frontend SDK do you use?
supertokens-web-js / mobile
supertokens-auth-react