Verify JWT token

Is there a way to verify JWT without a function?

I have netlify-identity-widget setup for my site, and I can login to Netlify and my frontend has the access token.

However, without the secret key for the token, my backend cannot verify then token hasn’t been tampered with. Is there a way to do this? I do not wish to use functions as I have an existing backend.

I was assuming using a proxy would reject requests with an unverified token, but this is not the case. I have signed proxy redirects setup, but that allows me to verify that the requests are coming through the proxy, but does not verify the token.

Hi there @turtlebits,

Right now there is no way to get your account’s JWT secret. What I generally do is use a Netlify function to authenticate the token. Another option is to use a signed proxy redirect so you can confirm that the request is coming via Netlify. More info on JWS can be found at https://www.netlify.com/blog/2017/10/17/introducing-structured-redirects-and-headers/#signed-proxy-redirects

Thanks, a signed proxy redirect just allows me to verify if a request to my backend is coming via the netlify proxy, but there is no way to verify the JWT payload. So someone can just post to my proxy URL with a tampered token. (I double checked - the proxy doesn’t try to verify the JWT by sending a tampered token through it).