M2M api verification

Hello,

I built a basic api with nodeJS to test the token verification capabilities.
Here is the code
`const express = require(“express”);
const { auth } = require(“express-oauth2-jwt-bearer”);

const jwtCheck = auth({
audience: ‘https://m2m.com’,
issuerBaseURL: ‘https://xxxx.auth0app.com/’,
tokenSigningAlg: ‘RS256’
});
const app = express()

app.get(“/public”, (req, res) => {
const message = “I am public”;

res.status(200).json(message);
});

app.get(“/protected”, jwtCheck,(req, res) => {
const message = “I am protected”;

res.status(200).json(message);
});

app.get(“/admin”, jwtCheck, (req, res) => {
const message = “I am an admin”;

res.status(200).json(message);
});`

When I try hitting /admin or /protected in postman with in the header ‘authorization: Bearer {{access_toke}}’, I get InvalidTokenError: Failed to fetch authorization server metadata

Why is that?

A general thing you could do while validating the token is, decode the token that you are trying to verify using https://jwt.io
Make sure that the audience, issuer and the token signing algorithm matches whatever is in the decoded token.

1 Like

Thank you, but all the information decoded by jwt.io seems appropriate

1 Like

Hey there @richardb !

Further to what @spoudel has said, I know issuerBaseUrl is a placeholder here, but just want to double check this is correct to match your tenant domain? .auth0app.com won’t exist in a default tenant domain.

Feel free to share the decoded token with me via DM if you’d like me to take a look :slight_smile:

Yes, this the appropriate domain, I have used it for Universal Login in the past