Using Memberstack 2.0? There is an updated community forum post here.
Verify Memberstack token signatures using a JWT Library.
Memberstack uses JWT tokens to store a member's session while they are logged in. You can use the token in your own API to identify the user.
Important: Please verify the signature of the token to confirm that Memberstack was the party that created it.
Steps
You can use MemberStack.getToken()
client side to retrieve the token that Memberstack set for the member (will be empty if a member is not logged in). You can pass that token to your own API.
Please verify the token has the following properties.
Token Header
{
"alg":"RS256",
"kid" "Must match a key found at https://api.memberstack.io/metadata/v1/public-keys"
}
Token Payload
{
"id": "...",
"email": "...",
"site": "...",
"iat": 1600307139,
"exp": 1600907139
}
You can now verify the token was signed by a private key corresponding to the token's kid
claim.
You can find public keys at https://api.memberstack.io/metadata/v1/public-keys
Comments
0 comments
Please sign in to leave a comment.