How to ensure that the JWT token has not been tempered with?

I had a question regarding how to ensure that the token that you have received as part of your api has the right and valid token?

My front end is react and when the user logs in they receive a token from auth0 which is then attached to the requests that are made to the server. Now my question is how does the server know that the jwt token has not been tempered with or someone is not impersonating as someone else by creating a valid jwt? I would have thought that ideally there is some process from the backend which makes a request to the auth0 servers with the token to ensure that the token was in fact issued by auth0? Any help with clearing my confusion would be very helpful thanks.

Hey there @mianhassani.uk!

This is a great question - Most flows like you’ve described will result in an RS256 signed access token. When this token is passed to your API/backend it’s important to utilize a library that validates it. It does this by grabbing the public key and verifying the signature, ensuring that the token hasn’t been altered.

1 Like

I am using spring boot framework for my server and I am in my security config I use this oauth2ResourceServer to make my server a Oauth2Resource server. Is that the sort of thing you are talking about? If you have a better alternative then I am happy to hear them too.

1 Like

Have you had a chance to take a look at our Spring Boot API authorization quickstart and accompanying sample app?

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.