Hey everyone,
I’m building a custom dashboard for our WFM team to track adherence metrics. It’s a React single-page app, and I’ve been using the implicit grant flow for authentication because we need a quick UI setup without a backend server handling the token exchange.
The login part works fine. I get the access token in the URL fragment after redirecting to Genesys Cloud’s auth server. I parse it out and store it in local storage. But now I’m trying to validate that the token is still valid before making API calls to /api/v2/analytics/wfm/schedules/details.
I’m using the jsonwebtoken library in Node.js/React to decode and verify the token. Here’s the code I’m using:
import jwt from 'jsonwebtoken';
const validateToken = (token) => {
try {
// I'm trying to verify the signature using the public key from Genesys Cloud
const decoded = jwt.verify(token, publicKey, {
algorithms: ['RS256'],
issuer: 'https://api.mypurecloud.com',
audience: 'https://api.mypurecloud.com'
});
return decoded;
} catch (error) {
console.error('Token validation failed:', error);
return null;
}
};
The problem is that jwt.verify is throwing a JsonWebTokenError: invalid signature. I’m using the public key from https://api.mypurecloud.com/.well-known/jwks.json. I’ve double-checked the key ID (kid) matches the one in the token header.
Is there something specific about how Genesys Cloud signs these tokens that I’m missing? Or is the implicit grant flow not meant to be validated client-side like this? I know PKCE is better, but we’re stuck with implicit for now.
Any ideas on what I’m doing wrong?