Skip to Content
BackendAuthentication

Authentication

The backend verifies Web3Auth idToken JWTs on every authenticated request.

Verification Steps

  1. Extract Authorization: Bearer <idToken> header
  2. Decode the JWT header to find the kid
  3. Preferred: verify against the project’s static PEM public key (WEB3AUTH_VERIFICATION_KEY)
  4. Fallback: fetch the JWKS from JWKS_ENDPOINT and match the kid
  5. Validate: signature, expiry, issuer, audience

Devnet Mode

When WEB3AUTH_ALLOW_UNVERIFIED=true (for Sapphire Devnet):

  • Skips the signature check
  • Still enforces audience, issuer, and expiry

WEB3AUTH_ALLOW_UNVERIFIED must be false on mainnet, where the JWKS endpoint works correctly.

Configuration

Env VarPurposeDefault
WEB3AUTH_CLIENT_IDToken audience check
WEB3AUTH_VERIFICATION_KEYStatic PEM public key
JWKS_ENDPOINTJWKS URLhttps://api-auth.web3auth.io/.well-known/jwks.json
WEB3AUTH_ALLOW_UNVERIFIEDSkip signature (devnet only)false
Last updated on
Models & RepositoriesError Handling