FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    Should I validate my JWTs with FusionAuth or locally?

    Scheduled Pinned Locked Moved
    Q&A
    jwt validation
    1
    2
    3.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • danD
      dan
      last edited by

      I see there is a validation endpoint. Should I use that or a local library to validate my JWTs?

      --
      FusionAuth - Auth for devs, built by devs.
      https://fusionauth.io

      1 Reply Last reply Reply Quote 0
      • danD
        dan
        last edited by

        You should always validate your JWT locally.

        As outlined in this doc, you need to make sure, at a minimum, that the aud, roles, and iss claims are as expected, and that can only be done by looking at a JWT and examining those claims. If you use a library that supports JWKS, doing this should be super simple.

        Note that the FusionAuth API endpoint validates JWTs at a basic level. It ensures that the JWT hasn't expired and that it was signed correctly.

        The reasons to use the API endpoint are:

        • If you have an HMAC signed JWT and you don't want to share the secret with the JWT consumer
        • If you have no JWT library that is available (whether because it hasn't been written, or you don't want to deploy it with your application)
        • You are willing to accept a network call instead of loading up a such a library

        --
        FusionAuth - Auth for devs, built by devs.
        https://fusionauth.io

        1 Reply Last reply Reply Quote 0
        • First post
          Last post