Protecting API Routes
Use verifyAccessToken to validate a Bearer token in Route Handlers.
verifyAccessToken fetches the JWKS from Authgear (cached for 1 hour), verifies the RS256 signature, and checks exp, iss, and aud.
JWTPayload fields
| Field | Type | Description |
|---|---|---|
sub | string | Subject (user ID) |
iss | string | Issuer — your Authgear endpoint |
aud | string | string[] | Audience — your client ID |
exp | number | Expiry (Unix timestamp) |
iat | number | Issued at (Unix timestamp) |
client_id | string? | OAuth client ID |
roles | string[]? | https://authgear.com/claims/user/roles |
[key] | unknown | Any additional claims |
Calling the API from a Server Action
When the proxy is active it injects the Authorization header for page requests, but not for direct fetch() calls. Use a Server Action to forward the session token:
Last updated on