Support Forums

Verify JWT token

Is there a way to verify JWT without a function?

I have netlify-identity-widget setup for my site, and I can login to Netlify and my frontend has the access token.

However, without the secret key for the token, my backend cannot verify then token hasn’t been tampered with. Is there a way to do this? I do not wish to use functions as I have an existing backend.

I was assuming using a proxy would reject requests with an unverified token, but this is not the case. I have signed proxy redirects setup, but that allows me to verify that the requests are coming through the proxy, but does not verify the token.

1 Like

Hi there @turtlebits,

Right now there is no way to get your account’s JWT secret. What I generally do is use a Netlify function to authenticate the token. Another option is to use a signed proxy redirect so you can confirm that the request is coming via Netlify. More info on JWS can be found at https://www.netlify.com/blog/2017/10/17/introducing-structured-redirects-and-headers/#signed-proxy-redirects

Thanks, a signed proxy redirect just allows me to verify if a request to my backend is coming via the netlify proxy, but there is no way to verify the JWT payload. So someone can just post to my proxy URL with a tampered token. (I double checked - the proxy doesn’t try to verify the JWT by sending a tampered token through it).

Hi @turtlebits, I’m currently investigating a possible solution to your question. I’ll update here once I confirm the solution.

1 Like

Hi @Dennis! Were you successful in finding a solution?

Dennis will likely be able to give you a longer answer later, but you might want to look into this area of our docs: https://docs.netlify.com/routing/redirects/rewrites-proxies/#signed-proxy-redirects

Right, so the signed proxy redirects can definitely help with making sure your external url has a way to identify requests from your netlify site.

But if you also want to validate your JWT against your site’s Identity instance, you will need to do as @futuregerald mentioned and use a Netlify Function in conjunction with https://github.com/netlify/gotrue-js#get-current-user. If you invoked your Netlify Function with the appropriate Authorization header (Authorization: Bearer <JWT here>), our system will populate the context.clientContext object. You can then use this to information your function whether the request is valid or not. And example might look like: https://github.com/netlify/gotrue-js#get-a-user.

Between the two options, that hopefully gets you what you need.

Sorry for the long delay in updating here.

Thank you for the suggestions, @marcus & @Dennis!

Hi @futuregerald

More info on JWS can be found at https://www.netlify.com/blog/2017/10/17/introducing-structured-redirects-and-headers/#signed-proxy-redirects

Will you please advice on how to verify x-nf-sign header?
I was able to sign the requests but now struggling to find the right way to verify the signature.

Thank you!

UPDATE: used jws https://github.com/auth0/node-jws#readme and it is working!

hey, @yuyokk
just wondering when using node-jws you still need to use s secret in order to verify a signature
may i know where did you get the secret on netlify ?

jws.verify(signature, algorithm, secretOrKey)


Hi @romain1304,

As @futuregerald mentioned here:

You’d have to hardcode the secret in your Netlify Function. Considering your publish directory might be different from functions directory, the function’s code cannot be read by anyone else, it should not be a problem. If it’s in a public repo, you’d have to set the secret in an environment variable and then access it using process.env.VAR_NAME.