Supabase•2mo ago

Verifying JWT signing key with jsonwebtoken

I want to switch to the new JWT signing keys and I can't get it to work with "jsonwebtoken": "^9.0.2", Using the the Legacy JWT Secret, this worked:

import jwt from "jsonwebtoken";
const token = req.header("Authorization")?.split(" ")[1]?.trim()
const decodedToken = jwt.verify(token, supabaseJwtSecret || "");

import jwt from "jsonwebtoken";
const token = req.header("Authorization")?.split(" ")[1]?.trim()
const decodedToken = jwt.verify(token, supabaseJwtSecret || "");

where supabaseJwtSecret was just the Legacy JWT secret key. I tried changing the algorithm like this: jwt.verify(token, supabaseJwtSecret || "", { algorithms: ['ES256'] }) But I get Token verification error: secretOrPublicKey must be an asymmetric key when using ES256. I am using the new format : sb_publishable_ Has anyone made verifying the new keys work with jasonwebtoken?

4 Replies

inder•2mo ago

I assume you mean verifying the user's access token. You'll have to use new jwt signing keys from this page. In my test instance I've revoked the old keys and generated a new access token. As these are asymmetric keys, you can only verify token with the key you generate

import jwt, { type Secret, type PublicKey } from "jsonwebtoken";
import jwksClient from "jwks-rsa";

const client = jwksClient({
  jwksUri: "https://PROJECT_REF.supabase.co/auth/v1/.well-known/jwks.json",
  timeout: 10*1000
});

const updatedKey = await client.getSigningKey();

const verifyToken = (key: Secret | PublicKey, token: string) =>
  jwt.verify(token, key, { algorithms: ["ES256"] });

const token =  "TOKEN HERE";

console.log(verifyToken(updatedKey.getPublicKey(), token));

import jwt, { type Secret, type PublicKey } from "jsonwebtoken";
import jwksClient from "jwks-rsa";

const client = jwksClient({
  jwksUri: "https://PROJECT_REF.supabase.co/auth/v1/.well-known/jwks.json",
  timeout: 10*1000
});

const updatedKey = await client.getSigningKey();

const verifyToken = (key: Secret | PublicKey, token: string) =>
  jwt.verify(token, key, { algorithms: ["ES256"] });

const token =  "TOKEN HERE";

console.log(verifyToken(updatedKey.getPublicKey(), token));

erztemplerobbaOP•2mo ago

Thanks a lot @inder , I'll try that. I guess the const token is still the same user's JWT that would be send via the header to the server, correct? in the old format like this Authorization: Bearer <eyJhbGciOiJFUzI1NiIsImtpZCI6IjY0ZmJjYWE5...>

inder•2mo ago

Yes correct, when you make a request using supabase sdk for example to invoke a function, the token will be added in authorization header.

garyaustin•2mo ago

Just remember that the new publishable and secret keys (no user session to replace apikey in authorization header) won't work like they used to if not going thru the Supabase infra. The edge functions are an example where they have a dislaimer about this.

Gaming

Programming

Verifying JWT signing key with jsonwebtoken

Did you find this page helpful?