Auth0 Home Blog Docs

Verify access token in node middleware

token
verify
access-token
access
middleware

#1

I’m implementing an authentication flow as follows using the passwordless api:

  1. User enters their email or phone number in the client app.
  2. This creates a request in the middleware which checks if the email is allowed using a third party api.
  3. If valid, call the Auth0 endpoint to login the user passwordlessStart
  4. Auth0 sends a magic password / OTP to the user.
  5. User enters the magic password / OTP in the interface. passwordlessVerify
  6. Auth0 returns an access token back to the client directly where the endpoint was called for login. parseHash

After the user is signed in. All user actions henceforth generate the following flow:

  1. User Acts, a request is sent to middleware with access_token and email / phone.
  2. Middleware calls Auth0 to verify the access token.
  3. Once verified, the actual request is performed to third party.

I’m not sure how to verify the access token in the middleware (it it’s valid) in the second step


#2

I suggest reading through the Node API Authorization quickstart documentation which outlines this:
https://auth0.com/docs/quickstart/backend/nodejs#protect-individual-endpoints

Note, the access_token isn’t sent to Auth0 to verify; your middleware will simply get the public key for the signed access_token from Auth0 (e.g. https://your_tenant.auth0.com/.well-known/jwks.json, and perform the verification.


#3

Thanks Prashant, I am having problems authorizing the user in the middleware with the code sent to the mail from passwordless start. Can you suggest something for that? Thanks


#4