Articles on: Developers

Verifying ID Tokens

Long story short

Everytime PluginLab communicates with your backend, we attach an Authorization header that contains an ID token for the associated user.


Authorization: Bearer iOiJQUzI1NiJ9.e[...truncated...]mF1ZCI6InBsdWdpbjo1NmRjZDE1MDlmZThhO

The ID token is an assymetric JWT that contains the user id (uid) plus many other info and that you can verify using the following public key:

Once decoded, the payload will look like this:

Token Header

  "alg": "PS256"

Token Payload

  "uid": "<USER_ID>",
  "user": {
     "email": ",
     "name": "John Doe",
     "given_name": "John",
     "family_name": "Doe",
     "plan_id": "XXXXXXX",
     "price_id": "YYYYYYYY"
  "aud": "plugin:<PLUGIN_ID>:admin",
  "iss": "",
  "iat": 1684490110,
  "exp": 1684662910

The token is encoded in base64 and you don't have to verify it to read the user id, nonetheless you should not trust any unverified token.

To verify a token is valid you must verify the following points:
- the signature is correct
- the issuer (iss) is equal to
- the audience (aud) <PLUGIN_ID> is equal to your plugin id
- the issued at (iat) field is after the current date
- the expired on (exp) field is before the current datw

Verify your member's token in Python

To validate the token in Python you can user our Python SDK.

Verify your members' token in NodeJS

To validate the token in NodeJS you can user our NodeJS SDK.

Feeling lost?

Feel free to contact us using the Chatbox on the bottom right corner and we will be more than happy to help!

Updated on: 26/07/2023

Was this article helpful?

Share your feedback


Thank you!