Verify JWT token

Is there a way to verify JWT without a function?

I have netlify-identity-widget setup for my site, and I can login to Netlify and my frontend has the access token.

However, without the secret key for the token, my backend cannot verify then token hasn’t been tampered with. Is there a way to do this? I do not wish to use functions as I have an existing backend.

I was assuming using a proxy would reject requests with an unverified token, but this is not the case. I have signed proxy redirects setup, but that allows me to verify that the requests are coming through the proxy, but does not verify the token.

1 Like

Hi there @turtlebits,

Right now there is no way to get your account’s JWT secret. What I generally do is use a Netlify function to authenticate the token. Another option is to use a signed proxy redirect so you can confirm that the request is coming via Netlify. More info on JWS can be found at

Thanks, a signed proxy redirect just allows me to verify if a request to my backend is coming via the netlify proxy, but there is no way to verify the JWT payload. So someone can just post to my proxy URL with a tampered token. (I double checked - the proxy doesn’t try to verify the JWT by sending a tampered token through it).

Hi @turtlebits, I’m currently investigating a possible solution to your question. I’ll update here once I confirm the solution.

1 Like

Hi @Dennis! Were you successful in finding a solution?

Dennis will likely be able to give you a longer answer later, but you might want to look into this area of our docs:

Right, so the signed proxy redirects can definitely help with making sure your external url has a way to identify requests from your netlify site.

But if you also want to validate your JWT against your site’s Identity instance, you will need to do as @futuregerald mentioned and use a Netlify Function in conjunction with If you invoked your Netlify Function with the appropriate Authorization header (Authorization: Bearer <JWT here>), our system will populate the context.clientContext object. You can then use this to information your function whether the request is valid or not. And example might look like:

Between the two options, that hopefully gets you what you need.

Sorry for the long delay in updating here.

Thank you for the suggestions, @marcus & @Dennis!

Hi @futuregerald

More info on JWS can be found at

Will you please advice on how to verify x-nf-sign header?
I was able to sign the requests but now struggling to find the right way to verify the signature.

Thank you!

UPDATE: used jws and it is working!