Cotter JWT Classes for JS
Read and decode jwt tokens generated by Cotter using the classes defined here. To read more about Cotter, get started with our 📚 integration guides and example projects.
Install
npm install cotter-jwt-js --save
or
yarn add cotter-jwt-js
Usage
To decode a jwt token:
; const decodedToken = token; console; // decoded jwt token object console; // original token string
Expiry, IssuedAt, and Audience
// getting payload.expconst expiredAt = decodedToken; // getting payload.iatconst issuedAt = decodedToken; // getting payload.audconst audience = decodedToken;
Usage with Cotter
Cotter returns 2 types of jwt token, CotterAccessToken
and CotterIDToken
.
CotterAccessToken
This access token should be passed to your backend server, and used to authorize users to access your API. Validate the access token passed to your backend server using this example.
To decode a the access token:
; const decodedToken = accessToken; console; // decoded jwt token object console; // original token string
CotterAccessToken
have the following attributes
client_user_id: string;authentication_method: string;type: string;scope: string; // standard claimsaud: string;exp: number;jti: string;iat: number;iss: string;nbf: number;sub: string;
CotterAccessToken
also extends all the methods available for CotterJWTToken
.
CotterIDToken
The ID token is following OpenID specifications, and is provided to get more information about the user.
To decode a the id token:
; const decodedToken = accessToken; console; // decoded jwt token object console; // original token string
CotterIDToken
have the following attributes
client_user_id: string; // user id from your serverauth_time: string; // last authentication timeidentifiers: string; // email/phone numbertype: string; // standard claimsaud: string;exp: number;jti: string;iat: number;iss: string;nbf: number;sub: string;
CotterIDToken
also extends all the methods available for CotterJWTToken
.
Getting Access Token from Cotter
When you want to request access tokens from cotter, add a query paramater ?oauth_token=true
at the end of your request.
For reference, current base url for Cotter:
https://www.cotter.app/api/v0
There are several endpoints where you can request access tokens from:
1. Create User Endpoint
POST /user/create?oauth_token=true
2. Update Methods Endpoint
PUT /user/:client_user_id?oauth_token=true
3. Create Approved Event Request Endpoint
POST /event/create?oauth_token=true
4. Get Event Request Endpoint
GET /event/get/:event_id?oauth_token=true
5. Get Identity Endpoint (using PKCE flow)
GET /verify/get_identity?oauth_token=true
When using these endpoints, you'll get an additional field called oauth_token
:
Response
Request Token Explicitly
You can also request access tokens separately by passing in an identity_token
or an event_token
using these endpoints
Get Token using Identity Token
When you receive an Identity Token from Cotter's Email/Phone Number Verification SDK, you can pass it to this endpoint to receive an access token.
POST /tokenContent-Type: application/jsonAPI_KEY_ID: <API-KEY-ID>
Response
Get Token using Event Token
When you receive an Event Token from Cotter's Trusted Device or PIN/Biometric SDK, you can pass it to this endpoint to receive an access token.
POST /tokenContent-Type: application/jsonAPI_KEY_ID: <API-KEY-ID>
Response
Get Token using Refresh Token
When your access token expires, you can get a new one using the refresh token that was given.
POST /tokenContent-Type: application/jsonAPI_KEY_ID: <API-KEY-ID>
Response
Note that you don't get a refresh token back.
Validating JWT Token
To validate the jwt token, you need Cotter's JWT Public Key. The Public Key is specified in this endpoint:
GET /token/jwks
There's only one key for now, so use that key.
To Validate jwt token using this key, check the example
A simple example to validate the jwt token:
var jwt = ;var jwkToPem = ; const publicKeys = await axiosdefault;const jwk = publicKeysdatakeys0;const pem = ;jwt;