Ways to authenticate non-js api?

I went through the plugin section of the Better Auth docs and ive noticed that authenticating non-js APIs can be done using two methods: JWT or Bearer tokens. right?

I just want to cross-check to ensure I understand correctly:

If I use a JWT token, how should I verify it? Should the verification be done using the BETTER_AUTH_SECRET?
If I opt for the Bearer token (is it essentially the session token?), how should I verify it? Do I need to check my database on every request to confirm the presence of the Bearer token before verifying it? Is there any other method to do so?

Laktos•1/2/25, 6:53 AM

Hey! I haven't used the bearer token but the JWT token is possible to verify through the public key of the JWKs, if using a compatible (asymmetric) encryption method, like RS256. The principles are here: https://auth0.com/blog/navigating-rs256-and-jwks/
And then regarding how it's done in your case, you'll probably want "jsonwebtokens", and then use "verify()" from there, and then use the public key which you can get from the better-auth BE API "jwks()" (which as far as I could tell only gave the public part) and converting it to PEM, and then passing that to the verify function.

Just make sure that you're not leaking any private key. I was just testing around with this, not using it atm so can't help much more than this.

Auth0 - Blog

Navigating RS256 and JWKS | Auth0

Learn how to use an algorithm like RS256 and the JWKS endpoint to allow your applications to trust the JWTs signed by Auth0.

Mad_angleOP•1/3/25, 10:05 PM

to get the token, i called the /token endpoint without including header. which will return token, and then pass it to the api header... correct? like this:

Mad_angleOP•1/3/25, 10:09 PM

to verify the token on server....hit the /jwks which will return keys and then, check that kid of token is equal to kid of key..right?

Reis•1/3/25, 11:06 PM

@Mad_angle yes, you have to use jose and validate it, something like this

const parseJwksToken = async ({ crv, x, kty, token }: ParseJwksTokenProps) => {
  try {
    const { payload } = await jose.compactVerify(token, {
      crv,
      x,
      kty,
    });

    const decrypedToken = JSON.parse(new TextDecoder().decode(payload)) as {
      id: string;
    };

    return decrypedToken;
  } catch {
    return null;
  }
}

const parseJwksToken = async ({ crv, x, kty, token }: ParseJwksTokenProps) => {
  try {
    const { payload } = await jose.compactVerify(token, {
      crv,
      x,
      kty,
    });

    const decrypedToken = JSON.parse(new TextDecoder().decode(payload)) as {
      id: string;
    };

    return decrypedToken;
  } catch {
    return null;
  }
}

const parseJwksToken = async ({ crv, x, kty, token }: ParseJwksTokenProps) => { try { const { payload } = await jose.compactVerify(token, { crv, x, kty, }); const decrypedToken = JSON.parse(new TextDecoder().decode(payload)) as { id: string; }; return decrypedToken; } catch { return null; } }

Ways to authenticate non-js api?

Similar Threads

Similar Threads

Similar Threads