User Session (JWT/Authorization)

Getting a user's access token from a request#

When your app frontend sends a request to your server, you should include the current user's access token in the Authorization header of the request. This allows your backend to securely identify the requesting user and gate API routes based on their authentication status, their user ID, and more.

When your server receives a request, the location of the user's access token depends on whether your app uses local storage (the default) or cookies to manage user sessions:

• If using local storage to store a user's session, the access token will be passed in the Authorization header of the request.
• If using cookies to store a user's session, the access token will be passed in the openfort-token cookie on the request.

For example, in NextJS, you might extract the auth token from a NextApiRequest as follows:

Verifying the user's access token#

Once you've obtained the user's access token from a request, you should verify the token against Openfort's verification key for your app to confirm that the token was issued by Openfort and the user referenced by the player Id in the token is truly authenticated.

The access token is a standard ES256 JWT and the verification key is a standard Ed25519 public key. You can verify the access token against the public key using the official supported libraries library or using a third-party library for managing tokens.

When using Openfort auth#

When using a third-party auth#

When using a third-party auth provider, you can either verify the token using the provider's SDK or use Openfort's SDK to verify the token.