Overview
JWT validation in TypeAuth verifies:- Token signature authenticity
- Expiration status
- Time validity
- Custom claim requirements
Validation Process
Standard Checks
TypeAuth automatically validates:-
Signature Verification
- RS256, RS384, RS512
- HS256, HS384, HS512
- ES256, ES384, ES512
-
Time-Based Claims
Custom Claim Validation
Define specific claims that must be present and match expected values:Configuration
Basic Setup
Advanced Validation Rules
Common Validation Scenarios
1. Basic Time Validation
2. Role-Based Access
3. Multi-Tenant Validation
Error Handling
Error Code | Description | Solution |
---|---|---|
invalid_signature | Token signature verification failed | Check signing key/algorithm |
token_expired | Token has expired | Refresh token |
token_not_active | Token not yet valid (NBF) | Check clock sync |
missing_claim | Required claim not present | Add required claim |
invalid_claim | Claim value doesn’t match requirements | Correct claim value |
Best Practices
-
Signature Verification
- Use strong algorithms (RS256 minimum)
- Regularly rotate signing keys
- Maintain secure key storage
-
Claim Validation
- Always verify issuer (
iss
) - Validate audience (
aud
) - Include expiration (
exp
) - Check not-before (
nbf
)
- Always verify issuer (
-
Security Considerations
- Set appropriate clock skew
- Validate all critical claims
- Use specific audience values
- Implement key rotation
Limitations
- Maximum 10 public keys per application
- Maximum 20 required claims
- Maximum 20 optional claims
- Clock skew: 0-900 seconds
- Supported key types: RSA, ECDSA, HMAC