Is verifying a JWT Access Token enough for custom API access? Or do I need to hit somesort of Auth0 endpoint to ensure the access token is valid? If the backend JWT verifier confirms the signature and the form of JWT, does that constitute authorization and authentication (given that the Access Token contains the user sub claim)?
The signature is used to verify that the payload of the JWT has not been tampered with. There isn’t a need to send the token to an external source for verification. Some SDKs will do this signature and payload verification for you, making it fairly painless. If you want to dig in on the subject, this is a good resource.
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.