How to authenticate/validate user’s JWT token that we get from web3auth?

[shahbaz17]

[shahbaz17]

In order to verify the JWT token, you need the compressed app_pub_key (derived from app_scoped_privkey) and the idToken obtained from the userInfo.

App scoped private key will be obtained from the frontend once the user is logged in.
Public Key derivation depends on the curve (refer to the code snippets above)

// Incase of ed25519 curve
import { getED25519Key } from "@toruslabs/openlogin-ed25519";
const app_scoped_privkey = "app scoped private key";
const ed25519Key = getED25519Key(Buffer.from(app_scoped_privkey.padStart(64, "0"), "hex"));
const app_pub_key = ed25519Key.pk.toString("hex");

// Incase of secp256k1 curve
import { getPublicCompressed } from "@toruslabs/eccrypto";
const app_scoped_privkey = "app scoped private key";
const app_pub_key = getPublicCompressed(Buffer.from(app_scoped_privkey.padStart(64, "0"), "hex")).toString("hex");

Verify JWT Token

// JWT verification using JWK

import * as jose from "jose"
const app_pub_key = "obtained from the frontend"
const idToken = "obtained from the frontend"
const jwks = jose.createRemoteJWKSet(new URL("https://api.openlogin.com/jwks"));
const jwtDecoded = await jose.jwtVerify(idToken, jwks, { algorithms: ["ES256"] });
if ((jwtDecoded.payload as any).wallets[0].public_key === app_pub_key) {
  // Verified
}

Checkout https://web3auth.io/docs/server-side-verification/social-login-users#verifying-jwt-token-idtoken to learn more.

[Kushak1]

Thank you for you answer @shahbaz17 ! But just 1 last thing, how can I access app_scoped_privkey, is that the same thing as wallet private key written about here https://web3auth.io/docs/sdk/web/providers/#exporting-web3auth-private-key?