Validate ID Tokens

Everytime PluginLab communicates with your backend, we attach an Authorization header that contains an ID token for the associated user.

Example:

Authorization: Bearer iOiJQUzI1NiJ9.e[...truncated...]mF1ZCI6InBsdWdpbjo1NmRjZDE1MDlmZThhO

The ID token is an assymetric JWT that contains the user id (uid) and that you can verify using the following public key: https://auth.pluginlab.ai/admin/v1/cert

Once decoded, the payload will look like this:

Token Header

{
  "alg": "PS256"
}

Token Payload

{
  "uid": "<USER_ID>",
  "aud": "plugin:<PLUGIN_ID>:admin",
  "iss": "https://auth.pluginlab.ai",
  "iat": 1684490110,
  "exp": 1684662910
}

The token is encoded in base64 and you don't have to verify it to read the user id, nonetheless you should not trust any unverified token.


To verify a token is valid you must verify the following points:
- the signature is correct
- the issuer (iss) is equal to https://auth.pluginlab.ai
- the audience (aud) <PLUGIN_ID> is equal to your plugin id
- the issued at (iat) field is after the current date
- the expired on (exp) field is before the current datw

In nodeJS

Our NodeJS SDK provides a convenient way to validate these tokens. See Verify the user token with the NodeJS SDK.

In Python

Here's an article that explains how to achieve PluginLab token verification in Python.

For other languages

In order to validate the signature for any other languages, we highly recommand you have a look at these JWT libraries and you pick the right one for your language: https://jwt.io/libraries.

If you are lost, feel free to reach out and we'll write this code snippet for you

Updated on: 26/07/2023