Step 5: Verify JWT on the server

⏱ 15 min read

Integrate Transcodes with your backend for enhanced security and control

Why Server-Side Integration?

While the Auth Console Panel provides a quick no-code solution, server-side integration offers:

Enhanced Security: Validate tokens on your server
Custom Logic: Add business rules to authentication flow
Database Sync: Store user data in your own database
API Protection: Secure your API endpoints with token verification

How Token Verification Works

Client: Gets a JWT token from Transcodes after authentication via getAccessToken()
Client: Sends the token to your server in the Authorization: Bearer <token> header
Your Server: Verifies the token locally using public_key.json (EC P-256 / ES256)
No API calls to Transcodes are needed for verification — it’s all done locally

Token Verification

Transcodes issues JWT tokens signed with ES256 (EC P-256). You verify them locally on your server using the public_key.json downloaded from the Console.

Get the User Token

After authentication, retrieve the user’s token from Transcodes:


const token = await transcodes.token.getAccessToken();

Send Token to Your Server

Include the token in your API requests:


const response = await fetch('/api/protected', {
  headers: {
    Authorization: `Bearer ${token}`,
  },
});

Download the Public Key

Download the public_key.json file from the Transcodes Console → Authentication Cluster and add it to your server:

Download Public Key JSON from Dashboard

Important: Download this JSON file and add it to your server as a static file or paste its content inline.

The file looks like this:


{
  "kty": "EC",
  "x": "...",
  "y": "...",
  "crv": "P-256",
  "alg": "ES256",
  "kid": "..."
}

Caveat: If you generate a new public key JSON in the dashboard, the previous one will become invalid. Make sure to update the JSON file on your server whenever you generate a new key.

Install JWT Library

Install the JWT library for your language:

Node.js


npm install jose

Verify Token with Public Key

Use the public_key.json to verify tokens locally:

Node.js (Express)


import { importJWK, jwtVerify, type JWTPayload } from 'jose';
 
// Paste your public_key.json content here
const TRANSCODES_PUBLIC_JWK = {
  kty: 'EC',
  x: '...',
  y: '...',
  crv: 'P-256',
  alg: 'ES256',
  kid: '...',
};
 
let _publicKey: Awaited<ReturnType<typeof importJWK>> | null = null;
 
async function getPublicKey() {
  if (!_publicKey) {
    _publicKey = await importJWK(TRANSCODES_PUBLIC_JWK, 'ES256');
  }
  return _publicKey;
}
 
async function verifyToken(token: string): Promise<JWTPayload> {
  const publicKey = await getPublicKey();
  const { payload } = await jwtVerify(token, publicKey);
  return payload;
}
 
// Express middleware
app.use(async (req, res, next) => {
  const auth = req.headers.authorization;
  if (!auth?.startsWith('Bearer ')) {
    return res.status(401).json({ error: 'No token' });
  }
  try {
    req.member = await verifyToken(auth.slice(7));
    next();
  } catch {
    res.status(401).json({ error: 'Invalid or expired token' });
  }
});

Node.js (Next.js)


import { importJWK, jwtVerify, type JWTPayload } from 'jose';
import { NextRequest, NextResponse } from 'next/server';
 
const TRANSCODES_PUBLIC_JWK = {
  kty: 'EC',
  x: '...',
  y: '...',
  crv: 'P-256',
  alg: 'ES256',
  kid: '...',
};
 
let _publicKey: Awaited<ReturnType<typeof importJWK>> | null = null;
 
async function getPublicKey() {
  if (!_publicKey) {
    _publicKey = await importJWK(TRANSCODES_PUBLIC_JWK, 'ES256');
  }
  return _publicKey;
}
 
export async function verifyAuth(
  req: NextRequest,
): Promise<{ payload: JWTPayload } | NextResponse> {
  const authHeader = req.headers.get('authorization');
  if (!authHeader?.startsWith('Bearer ')) {
    return NextResponse.json({ error: 'No token' }, { status: 401 });
  }
  try {
    const publicKey = await getPublicKey();
    const { payload } = await jwtVerify(authHeader.slice(7), publicKey);
    return { payload };
  } catch {
    return NextResponse.json(
      { error: 'Invalid or expired token' },
      { status: 401 },
    );
  }
}
 
export function isAuthError(
  result: { payload: JWTPayload } | NextResponse,
): result is NextResponse {
  return result instanceof NextResponse;
}

Python


import jwt
 
PUBLIC_KEY_JWK = {
    "kty": "EC",
    "x": "...",
    "y": "...",
    "crv": "P-256",
    "alg": "ES256",
    "kid": "...",
}
 
_public_key = jwt.algorithms.ECAlgorithm.from_jwk(PUBLIC_KEY_JWK)
 
def verify_token(token: str) -> dict:
    return jwt.decode(token, _public_key, algorithms=["ES256"])
 
# Usage
try:
    payload = verify_token(token)
    print(f"User ID: {payload['sub']}")
    print(f"Email: {payload['email']}")
except jwt.InvalidTokenError as e:
    print(f"Invalid token: {e}")

No API Calls Required: Token verification happens entirely on your server using the public key. No network calls to Transcodes are needed, making verification fast and reliable.

What’s Next

Server-side integration complete! Explore more: API Reference for all APIs