Unable to verify JWT token with express-jwt

I have a flutter app that is using auth0 for authentication. I am able to authenticate, and then use those tokens with my Hasura API.

I am attempting to setup an express based API as well and have been struggling to validate the tokens.

I followed

Then I get a token from my native app. The token looks well formed with the correct client id in the aud.

If I call the API with no token I get an auth missing error, if I added my token as a Bearer header I get

  "name": "UnauthorizedError",
  "message": "invalid signature",
  "code": "invalid_token",
  "status": 401,
  "inner": {
    "name": "JsonWebTokenError",
    "message": "invalid signature"

This is the code I’m using to validate the token, the audience matches the aud in the token above.

My auth0 application is setup as a Native application.

Thanks in advance for any help.

1 Like

I troubleshot this some more and am still coming up empty. I started by adding breakpoints at the entry point of jwt-express.

I’m able to follow the trail to the jwa library verify method. My breakpoint at this line of code show values for both the public key and the signature. I have verified the public key is the key retrieved from .well-known/jwks.json, and I ensured the signature is the last portion of my JWT token.

I have no idea what I could be doing wrong, and after a couple hours of troubleshooting about to throw in the towel for HS256 :slightly_frowning_face:

jwa :: index.js :: Line 164

Still unable to find a resolution. Tried changing my app to HS256, then saw a post where native apps are forcibly issued RS256 tokens because native client’s can’t reliably store secrets, that makes sense.

I’m trying to follow the manual steps and can’t get my token to verify either. On my mobile device I login and capture the token, I paste that in jwt.io, then I get my key from /pem (or the jwks url, I have validated they are the same) and paste that in JWT.io and can’t validate the signature.

I feel like I’m doing something completely off base, but all the online documentation seems to point me in this direction. To verify I should be able to

  1. Login on the auth0 form requesting an id token

  2. Extract the idtoken from the request object and paste it into jwt.io

  3. Get the public key either from the dashboard, /pem, or the json returned from .well-known/jwks.json and paste it into jwt.io where the existing public key is and verify?

I am unable to get my token to verify with this method, what am I missing?