Auth0 Home Blog Docs

Having trouble with my node-Api validating my react client-side jwt-token



Hello Auth Community!

I’ve just started using Auth0 and its really cool, but im running into some issues.

My main issue is that I have a react client-side app that is saving the jwt token on user login - which is great. However when I try to fetch data from my separate Node API - the route that is supposed to validate the token is giving me errors.

If I have my node api using this first type of authentication, I get an error:
UnauthorizedError: secret or public key must be provided

![alt text][1]

BUT, if I use this second form of validation, it works. My concern is that Im not 100% sure its as secure. If there is no token - this validation give me this error when the token is not valid:
UnauthorizedError: jwt malformed

![alt text][2]

Here is my lock file on react:
![alt text][3]

And here is my api call in react:
![alt text][4]

So do I need to make the first option work for better security, if so how? Is the second option of api validation just as good? I feel like I’ve looked at over 100 tutorials over the last 2 days and they are either out of day, or just are not easy to follow. Im using the most current version of Auth0.

Looking for any help - thank you.


The different configurations you showed in relation to how to setup the secret are due to signing algorithm being used ( HS256 or RS256 ). In your case the HS256 configuration is working so you likely configured your API in a way that the access tokens being issued are using HS256.

With HS256 you’re using a symmetric key to validate the token; this means that the same key used to create/sign the token is also used to validate the signature (this has the side-effect that whoever is able to validate a token is also able to create/sign one). With RS256 you’re using an asymmetric key which means that a private key is used to create/sign the token and an associated public key is used to validate the signature (anyone can validate tokens using the public key, but only whoever owns the private key can create/sign them).

The underlying difference in keys means they provide different security characteristics, but depending on the scenario both can be used securely. If having access to the symmetric key for HS256 in the API itself can be done in a secure way, it’s acceptable for you to use this algorithm because the API is yours so you also trust that the API will not try to create fake tokens.

If you need the characteristics of RS256 then start by making sure the API is configured in a way that the issued access tokens use this algorithm instead.


Thank you for explaining that! Very helpful :slight_smile:


Thank you for explaining that! Very helpful :slight_smile: