An Outseta JWT Access Token identifies an authenticated user of your app. It can be decoded to access the payload (aka, information about the user). However, you must always verify an access token before you trust the payload.
There are two ways to verify an Outseta JWT Access Token:
- Use your Outseta Public JWT Key to verify the access token using an auth library.
- Use the access token in a request to the profile endpoint; the request will only succeed if the access token is valid.
Relevant articles:
👉 The payload of an Outseta JWT Access Token
👉 Generate JWT Access Tokens (aka. log in users) using the Outseta API
👉 Supabase + Outseta Auth with Row Level Security (RLS)
Use your Outseta Public JWT Key
- Get the access token from the request
- Fetch the JSON Web Key (JWK) set from your well-known URL:
https://<your-domain>.outseta.com/.well-known/jwks - Use the JWK Set to verify the access token with an auth library suitable for your tech stack.
In a Node environment using the Jose library and the access token sent as part of an authorization header on the format bearer <token>, it would look like this:
// Grab the auth header
const authHeader = request.headers["authorization"];
// Grab the token from the auth header by splitting
// on space and taking the second value.
const token = authHeader?.split(" ")[1]?.trim();// Get the JSON Web Key (JWK) set
// Fetch the JSON Web Key (JWK) set
const JWKS = createRemoteJWKSet(
new URL("https://<your_domain>.outseta.com/.well-known/jwks"),
);
// Use the JSON Web Key (JWK) to verify the token
const { payload } = await jwtVerify(token, JWKS);
console.log("VERIFIED");
// The token is verified and you may use the information
// in it's payload to identify the person behind the request.
console.log("PersonUid:", payload.sub);
console.log("Email:", payload.email);
console.log("Name:", payload.name);
console.log("AccountUid:", payload["outseta:accountUid"]);
console.log("IsPrimary:", payload["outseta:isPrimary"]);
// For the full payload reference: The JWT Access Token
You may see how this looks as an Express endpoint (/verify-with-remote-jwk-set) in this CodeSandbox example.
Use the access token in a request to the profile endpoint
- Get the access token from the request
- Use the access token in a request to Outseta's profile endpoint
- Decode token for easy access to account data
In a Node environment using the Jose library and the access token sent as part of an authorization header on the format bearer <token>, it would look like this:
// Grab the auth header
const authHeader = request.headers["authorization"];
// Grab the token from the auth header by splitting
// on space and taking the second value.
const token = authHeader?.split(" ")[1]?.trim();
// Do a request to the profile endpoint with the token const fetchResponse = await fetch( // Adding fields=* gives you custom properties as well
"https://snippets.outseta.com/api/v1/profile?fields=*", { headers: { Authorization: `Bearer ${token}`, }, } ); if (!fetchResponse.ok) throw new Error("Profile response not ok"); const profile = await fetchResponse.json(); console.log("VERIFIED");
// The token is verified and you may use the information in it's payload
// and/or the information provided by the profile endpoint
// to identify the person behind the request. const payload = decodeJwt(token); console.log("PersonUid:", payload.sub, profile.Uid); console.log("Email:", payload.email, profile.Email); console.log("Name:", payload.name, profile.FirstName, profile.LastName); console.log("Avatar:", profile.ProfileImageS3Url);
console.log("MyCustomProperty", profile.MyCustomProperty); console.log("AccountUid:", payload["outseta:accountUid"]); console.log("IsPrimary:", payload["outseta:isPrimary"]);;
// For the full payload reference: The JWT Access Token
You may see how this looks as an Express endpoint (/verify-with-profile-request) in this CodeSandbox example.
Full Express/Node demo of both approaches on Code Sandbox