Verify user in Node.js backend

I am hosting the frontend of my application and doing auth using Netlify, I want to store some additional user information in my own database and make calls to an API I have built and I need to verify the user is who they say they are, how do I do this, I can’t find anything in the documentation on how to do this.

@jonathan-fielding, hmm, I don’t have implementation details but if you can pass the token to your backend, you can check for their metadata as mentioned here: Let me know if that works for you.


So how do I verify that the JWT being sent hasn’t been tampered with or generated by someone else. I don’t have a way to provide a secret for identity to use in this way as far as I know



Hi @jonathan-fielding,

You can verify the signature of our JWT’s in a Netlify function. In fact if you pass an Identity JWT in as a bearer token in an Authorization header, we’ll verify for you automatically and inject the user data in to the functions context. From there you can actually run some logic with that data or sign a new JWT and send it to your own backend. Another option is to use JWS with netlify redirects so that you can confirm that the request comes Netlify directly. You can read more about signed proxy redirects in

@jonathan-fielding I was wondering the same thing. I looked thru GoTrue API and noticed that /.netlify/identity/user requires auth. My plan is to use this endpoint to verify tokens. This might be the same as what netlify functions are doing.

Edit: Never mind, this is going to add unnecessary calls and slow things down. I’m going to look into using an RS256 auth provider.

1 Like

Hi @futuregerald - are there any examples for JWS? I added signed = "SECRET_KEY" under one of my redirects to my netlify.toml and added an environment variable in the web admin UI.

On my fetch requests, I still only see a cookie nf_jwt. That token cannot be validated with my SECRET_KEY value. I also tried using a python JWS library to try to verify the nf_jwt token with a hash below in the docs, with no luck. Is the JWS supposed to be stored somewhere else?

  "netlify_id": "the site's id in netlify",  # i used <word>-<word>-<6 digit hex>
  "site_url": "the site's URL for a given deploy",    # the public url which is a <long hash>--<site id>
  "context": "the deploy context for this request" . # production

The cookie should be named the same as the site ID. Here’s an example one from my site with that config:

94df29c5-77bb-4cd4-b699-b4e2db7991cd with value BAhU--adb1d6f0d36de732ddf270a685p[...]e4583f

actually the solution that @sirWhatever mentions works - if you do a curl with:

 curl -H 'Accept: application/json' -H "Authorization: Bearer your_access_token_here"

Then you’ll get back, if the access token is valid, information about the user. That seems a good idea to validate that an access token is legit