JwksError: Forbidden

Help - Plug n Play
1

Hello
We try to decode the jwt from users in our backend.
Following the documentation have the following function inbackend.
But it returns JwksError: Forbidden
Do i need to activate something in addition in the settings can see only endpoint mentioned there https://api-auth.web3auth.io/.well-known/jwks.json
We on scale plan

const client = jwksClient({
jwksUri: ‘https://auth.web3auth.io/.well-known/jwks.json’,
});

function getKey(header, callback) {
client.getSigningKey(header.kid, (err, key) => {
if (err) {
console.log(err)
return callback(err);
}
const signingKey = key.getPublicKey();
console.log(“signkey”,signingKey)
callback(null, signingKey);
});
}

const verifyToken = async (req, res, next) => {
const authHeader = req.headers[‘authorization’];

if (!authHeader || !authHeader.startsWith('Bearer ')) {
return res.status(401).json({ error: ‘Missing or malformed token’ });
}

const idToken = authHeader.replace('Bearer ', ‘’);
try {
jwt.verify(idToken, getKey, {
algorithms: [‘ES256’],
issuer: ‘https://auth.web3auth.io’,
audience: clientId
},
(err, decoded) => {
if (err) {
console.error(‘JWT verification failed:’, err);
return res.status(401).json({ error: ‘Unauthorized’ });
}

        console.log('✅ Verified user:', decoded);
        //req.user = decoded;
        req.jwt = decoded;
        req.body.publickey = decoded.publickey

        next();
        }
    );

} catch (error) {
   // next()
   console.log('Auth error:', error);
   return res.status(403).json({ message: 'Not authenticated',"status":"denied" });
}

};

2

Thank you for the detailed information, Oliver! Here’s a summary of your issue and the relevant details for the support team:

Issue Summary

  • Problem:
    You’re getting a JwksError: Forbidden when trying to decode/verify the JWT (idToken) from users in your backend using the JWKS endpoint.
    You are on the Scale plan and using the Plug n Play SDK.

  • Backend Code Snippet:

    const client = jwksClient({
  jwksUri: 'https://auth.web3auth.io/.well-known/jwks.json',
});

function getKey(header, callback) {
  client.getSigningKey(header.kid, (err, key) => {
    if (err) {
      console.log(err)
      return callback(err);
    }
    const signingKey = key.getPublicKey();
    callback(null, signingKey);
  });
}

// ... JWT verification logic follows ...

  • JWKS Endpoint Used:
    https://auth.web3auth.io/.well-known/jwks.json (as per your code and question)

  • SDK/Platform:

    • Plug n Play SDK (exact version not specified)
    • Backend: Node.js (with jsonwebtoken and jwks-rsa)

  • Authentication Flow:

    • Users log in via Web3Auth.
    • The backend receives the idToken and tries to verify it using the JWKS endpoint.

Key Questions for Support

  1. Is there an additional setting to enable JWKS access for backend verification on the Scale plan?
  2. Is the correct JWKS endpoint being used for Plug n Play SDK-issued tokens?
    (You are using https://auth.web3auth.io/.well-known/jwks.json but docs also mention https://api-auth.web3auth.io/jwks for idToken verification.)
  3. Are there any IP allowlists or project settings that could block access to the JWKS endpoint?
  4. Is there a difference between the JWKS endpoints for different Web3Auth SDKs or plans?

Recommendations & Next Steps

  • Try the recommended JWKS endpoint for idToken verification:
    According to Web3Auth docs, the endpoint for verifying identity tokens is:

    https://api-auth.web3auth.io/jwks

    Try updating your jwksUri to this endpoint:

    jwksUri: 'https://api-auth.web3auth.io/jwks'

    This might resolve the Forbidden error if the endpoint you were using is not intended for your use case.

  • Check project settings:
    Ensure your project settings in the Web3Auth Dashboard do not restrict JWKS access or IPs.

  • If the issue persists:
    Please provide:

    • A sample idToken (with sensitive info redacted if needed)
    • The exact error stack trace (if more details are available)
    • Any relevant screenshots from your dashboard or backend logs

Reference Documentation:

Let us know if switching the JWKS endpoint solves your issue, or if you need further guidance!

Note: This response was generated by an AI bot and may require further verification. The Web3Auth support team has tracked this issue and will be responding as soon as possible.

Additionally, we would recommend you to join our biweekly Office Hours to get this resolved even faster. Web3Auth Developer Office Hours