Avnology ID
Guides

Verify JWTs (TypeScript)

Validate Avnology ID access tokens locally using @avnology/backend's JWTVerifier.

Verify JWTs in TypeScript

When a user's access token lands in your backend, you have two options:

  1. Call POST /v1/oauth/introspect -- simple, network hop per request.
  2. Verify locally with cached JWKS -- sub-millisecond, no hop.

This guide does option 2. Use @avnology/backend's JWTVerifier.

Install

npm install @avnology/backend

Minimum viable verifier

The verifier:

  • Fetches /.well-known/jwks.json on first call, caches it for 5 minutes.
  • On a kid miss (post-rotation) refreshes the JWKS once, with a 30-second cooldown to prevent JWKS DoS.
  • Enforces iss, aud (if set), exp, nbf, and 30 seconds of clock skew tolerance.
  • Returns a strongly-typed AvnologyClaims object. No Ory / Kratos / Hydra terminology leaks.

Use in Express middleware

import express from "express";
import { JWTVerifier } from "@avnology/backend";

const app = express();
const verifier = new JWTVerifier({
  issuer: "https://api-id.avnology.net",

Or use the prebuilt middleware in @avnology/express:

import { requireAuth } from "@avnology/express";

app.use(requireAuth({
  issuer: "https://api-id.avnology.net",
  audience: "my-api",
}));

Use in Next.js middleware

// middleware.ts
import { NextResponse, type NextRequest } from "next/server";
import { JWTVerifier } from "@avnology/backend";

const verifier = new JWTVerifier({
  issuer: "https://api-id.avnology.net",
  audience:

The @avnology/nextjs package wraps this pattern with avnologyMiddleware().

Claim reference

interface AvnologyClaims {
  subject: string;          // sub -- identity ID
  userId: string;           // alias for subject
  organizationId?: string;  // org_... when scoped
  sessionId?: string;       // ses_...

Common failure modes

ErrorCauseFix
JWKSNoMatchingKeyToken kid not in JWKSEnsure the verifier's issuer matches the token's iss
JWTExpiredexp in pastRefresh the token via the SDK refreshToken() helper
JWTClaimValidationFailed: audienceWrong audCheck your OAuth client's configured audience
Network timeout on JWKSGateway unreachableFront the verifier with a CDN or lengthen cacheMaxAgeMs

Login Widget

Embed a "Sign in with Avnology" button on any website using the framework-agnostic login widget -- popup, redirect, and inline modes.

Verify JWTs (Go)

Validate Avnology ID access tokens locally using github.com/avnology/sdk-go/verify.

On this page

Verify JWTs in TypeScriptInstallMinimum viable verifierUse in Express middlewareUse in Next.js middlewareClaim referenceCommon failure modesRelated