Should I validate my JWTs with FusionAuth or locally?

  • I see there is a validation endpoint. Should I use that or a local library to validate my JWTs?

  • You should always validate your JWT locally.

    As outlined in this doc, you need to make sure, at a minimum, that the aud, roles, and iss claims are as expected, and that can only be done by looking at a JWT and examining those claims. If you use a library that supports JWKS, doing this should be super simple.

    Note that the FusionAuth API endpoint validates JWTs at a basic level. It ensures that the JWT hasn't expired and that it was signed correctly.

    The reasons to use the API endpoint are:

    • If you have an HMAC signed JWT and you don't want to share the secret with the JWT consumer
    • If you have no JWT library that is available (whether because it hasn't been written, or you don't want to deploy it with your application)
    • You are willing to accept a network call instead of loading up a such a library

Log in to reply