Issue with JWT verification using Web3Auth and jose library

Hi everyone,

I’m facing a challenge with JWT token verification in my application that integrates with Web3Auth. Specifically, when I try to verify the token using the jose library, I get a “ERR_JOSE_GENERIC” error in my application, but the same code works perfectly when run as a local script.

Here’s the code that works locally:

import * as jose from "jose";

(async () => {
  const idToken = '...'; // hardcoded token for testing
  try {
    const jwks = jose.createRemoteJWKSet(new URL("https://api-auth.web3auth.io/jwks"));
    const jwtDecoded = await jose.jwtVerify(idToken, jwks, { algorithms: ["ES256"] });
    console.log(jwtDecoded.payload.wallets[0]);
  } catch (e) {
    console.error(JSON.stringify(e));
  }
})();

And here’s the similar code in my application where it fails:

try {
  const jwks = jose.createRemoteJWKSet(new URL('https://api-auth.web3auth.io/jwks'));
  const jwtDecoded = await jose.jwtVerify(idToken, jwks, { algorithms: ['ES256'] });
  // further processing
} catch (e) {
  console.error(JSON.stringify(e));
}

In the application, this throws “ERR_JOSE_GENERIC”. The error object looks like this:

{
  "code": "ERR_JOSE_GENERIC",
  "name": "JOSEError"
}

My local environment uses Node.js version 20.12.1.

I’ve tried the following troubleshooting steps:

  • Updated the JWKS endpoint to https://api-auth.web3auth.io/jwks as per the latest documentation.
  • Manually verified the token on jwt.io, and it appears to be valid.
  • Considered network issues, but I’m unsure if there are restrictions in the application environment that prevent accessing the JWKS endpoint.
  • Ensured the token is not expired and that the kid matches the keys in JWKS (at least in the local environment).
  • Checked for differences in library versions or Node.js versions between local and application environments.

Additionally, I’ve looked at similar issues online, such as:

  • JWT verification with jose is failing
  • JWT Errors | Documentation | Web3Auth

Could someone please provide insights into why this discrepancy might be occurring? Is there something particular about application environments that could affect JWT verification with jose and Web3Auth?

Also, my application integrates with Sapphire Mainnet, but I’m not sure if that’s relevant. Could there be any impact from that?

Thank you in advance for your assistance!

Best regards

Thanks for the detailed explanation and for sharing your troubleshooting steps! Here’s a summary for the support team, along with some next steps and suggestions for you:


Issue Summary

  • SDK Used: PnP Web SDK
  • JWT Verification Library: jose
  • Platform/Environment: Node.js 20.12.1 (works locally, fails in deployed application)
  • Error: ERR_JOSE_GENERIC (JOSEError) when verifying JWT with jose in the application. Works as expected locally.
  • JWKS Endpoint: https://api-auth.web3auth.io/jwks
  • Token: Verified as valid on jwt.io, not expired, kid matches JWKS keys.
  • Sapphire Mainnet Integration: Not sure if relevant.

Details Provided

  • Code snippets for both local and application environments.
  • Troubleshooting steps already taken:
    • Ensured correct JWKS endpoint.
    • Token validity and kid matching.
    • Considered network issues.
    • Checked library and Node.js versions.
  • Related documentation and forum topics reviewed.

Additional Details Needed

To help the support team further, could you please provide:

  • Are there any differences in how environment variables or network requests are handled between your local and application environments (e.g., firewalls, proxies, VPC restrictions)?
  • Is the application running in a serverless environment, Docker container, or behind any network security group?
  • Can you share the exact version of the jose library used in both environments?
  • Are there any additional logs or stack traces from the error in the application (sometimes jose errors can be more descriptive with stack traces)?
  • If possible, a browser console/network screenshot (if this is a web app) or relevant logs from the deployed app.

Potential Next Steps & Suggestions

  1. Network Access:
    Since the error only occurs in the deployed application, it’s likely related to network access to the JWKS endpoint.

    • Try fetching https://api-auth.web3auth.io/jwks directly from your application environment (e.g., using curl or fetch) to see if it’s accessible.
    • If blocked, check firewall or proxy settings.
  2. Library Version Mismatch:

    • Double-check the jose library version in both environments. Sometimes subtle differences can cause issues.
  3. Environment Differences:

    • If running in a restricted environment (e.g., AWS Lambda, Docker), ensure outbound HTTPS requests are allowed.
  4. Debugging:

    • Add more detailed error logging (e.g., e.stack) to see if there’s more info.
    • Try a minimal script in the application environment (similar to your local test) to isolate the issue.
  5. Documentation:


Let us know if you can provide the above details, especially around network access and the jose version in your application environment. This will help us pinpoint the root cause faster!

If you have any logs or screenshots, feel free to upload them.

Thanks for your patience and detailed report!

Note: This response was generated by an AI bot and may require further verification. The Web3Auth support team has tracked this issue and will be responding as soon as possible.

Additionally, we would recommend you to join our biweekly Office Hours to get this resolved even faster. Web3Auth Developer Office Hours

Is jwks endpoint has some kind of rate limiting?

I tried:

const jwks = jose.createLocalJWKSet(/* hardcoded data from endpoint */)

And it worked, but according to this issue https://web3auth.io/community/t/does-this-endpoint-https-api-openlogin-com-jwks-always-return-same-jwks/2682 I think we should avoid using hardcoded data from endpoint