Trying to validate JWT tokens from the Genesys Cloud implicit grant in a React app. The goal is to keep the session alive without forcing the user to re-authenticate constantly. I have the token stored in memory after the initial login flow completes successfully. When I send requests to our internal backend, I include the Bearer token in the Authorization header. The backend then tries to verify the token signature against the Genesys Cloud JWKS endpoint at https://login.mypurecloud.com/api/v2/authorization/jwks.json.
The issue is intermittent. Sometimes the verification works fine. Other times, the backend returns a 401 Unauthorized error. The error message from our server says ‘invalid signature’ or ‘token expired’. I checked the payload and the exp claim looks valid for another 10 minutes. It’s confusing why the signature check fails when the token is clearly still within its lifetime.
Here is the verification logic I’m using in Node.js with jsonwebtoken:
const jwt = require('jsonwebtoken');
const jwksClient = require('jwks-rsa');
const client = jwksClient({
jwksUri: 'https://login.mypurecloud.com/api/v2/authorization/jwks.json'
});
function getKey(header, callback) {
client.getSigningKey(header.kid, function(err, key) {
const signingKey = key.publicKey || key.rsaPublicKey;
callback(null, signingKey);
});
}
jwt.verify(token, getKey, { algorithms: ['RS256'] }, (err, decoded) => {
if (err) {
console.error('Token verification failed:', err.message);
return res.status(401).send('Invalid token');
}
res.send('Valid token');
});
The error happens even when I copy the exact token from the browser dev tools and test it. Not sure if I’m missing a step in the key rotation handling.