Hey folks,
I’m building a small internal tool for our scheduling team to view real-time adherence without forcing agents to log in again. We’re using the implicit grant flow in our React app to get the token, which works fine for the initial login. The issue is trusting that token on the client side before we make API calls.
I want to validate the JWT without hitting the server every time, just to check if it’s expired or tampered with. I tried using jwt-decode but I’m not sure if the signature verification works client-side since we don’t have the private key.
Here is the snippet I’m using to extract the token:
import { useGenesysCloud } from '@genesyscloud/web-messaging-sdk';
const { getToken } = useGenesysCloud();
const token = getToken();
When I pass this token to a validation library, it throws a “Signature verification failed” error. I know the token is valid because the API calls succeed. Do I need to fetch the public keys from the Genesys OpenID config endpoint manually to verify this in React? Or is there a simpler way to check the exp claim safely?
I’ve been staring at this for an hour and just want to make sure we’re not exposing ourselves to replay attacks. Any pointers on the best practice here?