Can't verify JWT token in the backend

Hi there,

I have a simple backend for my app and I want to validate whether the request has come from a valid authenticated Monday user.

From the frontend I get the session token:

monday.get("sessionToken").then((res) => {...})

And then, I use that token to send the request to my backend. In the NodeJS backend I then verify this JWT token using my Signing Secret:

jwt.verify(tokenFromClient, MONDAY_SIGNING_SECRET)

Turns out this doesn’t work and I get “invalid signature”. However, if I use the Client Secret instead, then it works fine.

Am I misunderstanding anything? I thought that in order to validate in the backend if the request is valid, I should use the signing secret to validate the token. Or am I using the wrong token for this?

Thank you.

Hey @v-appgami ,

can you try it like this:

jwt.verify(

      tokenFromClient,

      process.env.MONDAY_SIGNING_SECRET

)

Tell me if that helped.

Hi @TMNXT-Dev,

That doesn’t change the result. I wasn’t using the environment variable just because I was trying. You can consider I had the correct keys on the MONDAY_SIGNING_SECRET variable that I mentioned on the original question.

The point is: is it expected to be able to verify the JWT token in the backend that I got from monday.get("sessionToken") using the Client Secret, or it should work with the Signing Secret instead?

Thank you.

Hey there @v-appgami :wave: Thanks for raising this question and providing context to what you are trying to achieve, as well as the issues you are having in the process. That really helps :slight_smile:

@TMNXT-Dev thanks for jumping in and sharing your expertise! I appreciate the help.

That said, @v-appgami - this is something I’ll have to check over with the team and then get back to you as soon as I get further updates from them. I hope that works for you!

-Alex

1 Like

@v-appgami

This is the correct behaviour (at least from what I have been told by the dev team).

The session token is encoded using your apps Client Secret.

2 Likes

Brilliant, thank you @mitchell.hudson!