Guide

Verifying Tokens in Your Server

Name: Authon
Author: Authon

Authon is a frontend-only SDK. This guide explains how to verify Authon-issued tokens on your own server and issue your own session.

Overview

When a user logs in via the Authon popup, an Authon JWT is issued. If you have your own backend API, you need a "bridge" pattern: send the Authon token to your backend, verify it, then issue your own session/JWT.

1. User logs in via Authon popup
2. Frontend receives Authon JWT authon.getToken()
3. Frontend sends token to your backend POST /api/auth/authon
4. Backend verifies token via Authon API GET /v1/auth/token/verify
5. Verified → issue your own service JWT

1. Frontend: Get the token

After Authon login, use getToken() to get the JWT and send it to your backend.

frontend.ts

import { Authon } from '@authon/js';

const authon = new Authon('pk_live_...');

authon.on('signedIn', async (user) => {
  const authonToken = authon.getToken();

  // Send token to your backend
  const res = await fetch('/api/auth/authon', {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({ token: authonToken }),
  });

  const { serviceToken } = await res.json();
  // Use serviceToken for your API calls
});

await authon.openSignIn();

2. Backend: Verify token + issue session

Call Authon's token verification API from your backend to validate the token. If valid, create (or find) the user and issue your own service JWT.

routes/auth.ts

app.post('/api/auth/authon', async (req, res) => {
  const { token } = req.body;
  if (!token) return res.status(400).json({ error: 'Token required' });

  // 1. Verify the Authon token
  const verify = await fetch('https:1
    headers: { Authorization: 4 },
  });
  const { valid, user: authonUser } = await verify.json();

  if (!valid || !authonUser) {
    return res.status(401).json({ error: 'Invalid Authon token' });
  }

  2
  let user = await db.users.findByEmail(authonUser.email);
  if (!user) {
    user = await db.users.create({
      email: authonUser.email,
      name: authonUser.displayName,
      provider: 'authon',
    });
  }

  3
  const serviceToken = jwt.sign(
    { userId: user.id, email: user.email },
    process.env.JWT_SECRET,
    { expiresIn: '7d' }
  );

  res.json({ serviceToken, user });
});

Token Verification API

GET/v1/auth/token/verify

Verifies an Authon JWT and returns user information. No API key required.

Request

bash

curl https://api.authon.dev/v1/auth/token/verify \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIs..."

Response

json

{
  "valid": true,
  "payload": {
    "sub": "user-uuid",
    "projectId": "project-uuid",
    "type": "access",
    "iat": 1711584000,
    "exp": 1711584900
  },
  "user": {
    "id": "user-uuid",
    "email": "user@example.com",
    "displayName": "Alan Kim",
    "avatarUrl": null,
    "emailVerified": true
  }
}

Always verify tokens server-side. Client-side token validation is insecure. Never issue service JWTs based on email alone — always verify the Authon token first.

getToken() Details

authon.getToken() returns the JWT issued by Authon. The token is signed with HS256 and expires after 15 minutes. The SDK automatically refreshes it when expired.

Field	Value
Format	JWT (HS256)
Expiry	15 minutes
Auto-refresh	Yes (handled by SDK)
Payload.sub	User UUID
Payload.projectId	Project UUID

Integration Checklist

Register your domain in Authon dashboardAdd your frontend domain to your API's CORS allowlistImplement bridge endpoint in your backend (POST /api/auth/authon)Verify Authon token via token/verify API in the bridgeIssue your own JWT/session after verificationHandle merging existing password users with Authon users (by email)Redirect old login/signup pages if needed