Unable to verify JWT without API call

I’m hosting my server with AWS Lambda, which means I need to be able to locally verify the authenticity of an Authorization header WITHOUT hitting the well-known/jwks.json endpoint. I’ve got a copy of my cert now, however there is no documentation on using the express-jwt library to use anything but the Auth0 endpoints. I’m more than happy to handle cert rotation myself, but I absolutely can’t go making an additional HTTP call every single time any user makes any request to my application, and to be honest I’m not sure how the Auth0 team thought that was a good design choice.

Hi @Texonidas,

Welcome back!

It looks like this case is covered in the usage example.

Let me know if I am missing something,

Hey Dan,

So while I have managed to get a local copy of my cert to verify the token is valid, I’m now stuck needing to make a different HTTP request to get the user’s information. Why do I need to make two HTTP calls just to get a logged in user’s email address? Is there a way for me to get the user’s email address back in the token when they log in instead of getting a token that I then need to send off in it’s place, to get another token containing the email?

For more context, I have a very simple application. I want to use google signin via auth0 in my client, then send that token to the server with every request in order to validate which user is logged in (via email address), so that i can allow and restrict access to endpoints based on their role. This is going to be hosted on Lambda, so I can’t afford the additional latency of making an outbound HTTP call with every single request my server receives.

Given this is an incredibly common use case, I don’t understand why the auth-0-spa.js plugin doesn’t give me access to a token I can use to facilitate this. If I’m misunderstanding something, please let know where the confusion is.


You are talking about making the second call to the /getuser endpoint. If you are looking to avoid this you can use the getIdTokenClaims method to retrieve the user’s profile information after the initial call where the access token and id token are issued. You can also get the raw id token with this method. Follow the doc here:

Would that solve it?


This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.