B2B JWT Token Validation Golang

I’m trying to validate a JWT token I generated using the member discovery flow for Next.JS that I’ve passed to a backend Golang API. The documentation recommends I use the Stytch Golang SDK to do this validation but it seems like the SDK is not suited for B2B generated JWT tokens.

Firstly, the JWK url it attempts to hit is the consumer facing one. Secondly, the extracted claim information doesn’t include the member and organization from the request.

Is my understanding correct here? Seems like once fixes to the above two problems (second one is technically less blocking) we should be able to authenticate with the JWK approach.

Hey Kaelen – thanks for posting!

Could you please confirm the following:

  1. You’re using the most recent version of our Go SDK (v11.3.1).

  2. You’re using our B2B Stytch client rather than a Consumer client. Your session authentication code should look something like this:

    import ( “context” “log” “github.com/stytchauth/stytch-go/v11/stytch” “github.com/stytchauth/stytch-go/v11/stytch/b2b/b2bstytchapi” “github.com/stytchauth/stytch-go/v11/stytch/b2b/sessions”)func main() { client, err := b2bstytchapi.NewClient( “B2B_PROJECT_ID”, “B2B_SECRET”, ) if err != nil { log.Fatalf(“error instantiating API client %s”, err) } params := &sessions.AuthenticateParams{ SessionJWT: “SESSION_JWT”, } resp, err := client.Sessions.Authenticate(context.Background(), params) if err != nil { log.Println(err) } log.Println(resp)}

Using the above, I believe you should be able to successfully validate a B2B-generated JWT and receive the expected Member and Organization data in response.

If not, please let me know, and I’ll be happy to take another look!

@nicole-stytch Ah yes silly me. I was using the consumer client instead of B2B client. I switched to using that one and working as intended. Thanks for your help and fast reply!

Are there any plans to update the README for the SDK to call out B2B distinctions in the examples?

Hey Kaelen,

Awesome, glad everything is working now!

Are there any plans to update the README for the SDK to call out B2B distinctions in the examples?

This is a great callout - I’ve flagged this internally for our team! I’ll also note that we have an outstanding internal request to change SDK behavior here to make it clearer earlier on that there is a mismatch between the API keys provided and the type of client initialized (B2C vs B2B), which I’ve added a +1 to as well.

Please let us know if we can help with anything else!