What to do with the session jwt?

Hi,

I have a simple question regarding the session_jwt returned by authentication. i.e. Can I use the session_jwt directly in my app with user? If so, how can I validate the JWT in my own backend, do I have to call your sessions.authenticate API in every backend call to ensure thw JWT is valid?

I saw the authenticateJwt method, can you help me understand how the public jwt is validated in the SDK locally, e.g. what secret is used to validate that locally?

Hey Yingzhong,

Thanks for posting!

I saw the authenticateJwt method, can you help me understand how the public jwt is validated in the SDK locally

This is exactly the method we’d recommend if you’re utilizing one of Stytch’s backend SDKs!

This method first tries to validate the JWT locally via your project’s JWKS. If local validation fails (e.g. if the JWT is expired), this method will fall back to hitting our /authenticate endpoint.

For context, Stytch JWTs always have a lifetime of 5 minutes, regardless of the underlying session duration. Our frontend SDKs automatically refresh the JWT in the background to minimize the number of calls necessary to Stytch servers on your backend authentication routes (to optimize for latency). In the event that the JWT that is passed into authenticateJwt() is expired for some reason (but the underlying session is still valid), local authentication using your project’s JWKS will fail, but the fallback call to Stytch servers via authenticate() will mint a new JWT.

For additional information I’d recommend checking out our JWTs vs Sessions blog post, which goes into a bit more detail about the distinction and tradeoffs!

Let us know if you have any further questions about this and we’ll be happy to help!