We’re building a custom React dashboard that sits alongside the CXone interface. We’re using the implicit grant flow to get the access token, which comes back as a JWT. The goal is to validate the token on the client side before making any internal API calls to avoid unnecessary 401 errors.
I wrote a simple hook to decode and verify the signature using jsonwebtoken (jwks-rsa for key fetching). The issue is the aud claim. In the token payload, the audience is set to our client ID, but the validation library expects the issuer URL to match exactly, and sometimes the subdomain varies in our sandbox environments.
Here’s the validation logic I’m using:
import jwt from 'jsonwebtoken';
import { getSigningKey } from 'jwks-rsa';
export const useTokenValidation = (token) => {
const verify = async () => {
try {
const key = await getSigningKey({
jwksUri: 'https://api.mypurecloud.com/oauth2/jwks',
clientId: process.env.REACT_APP_CLIENT_ID
});
return jwt.verify(token, key, {
algorithms: ['RS256'],
issuer: 'https://api.mypurecloud.com',
audience: process.env.REACT_APP_CLIENT_ID
});
} catch (error) {
console.error('Token validation failed', error);
return null;
}
};
return { verify };
};
The jwt.verify throws a JsonWebTokenError: invalid signature even though the token works fine when passed in the Authorization header to the Platform API. I checked the token on jwt.io and the signature is valid with the public key from the JWKS endpoint.
Is there something specific about how Genesys signs these tokens that breaks standard JWT libraries? Or am I missing a step in fetching the correct key ID? The token works for API calls, so the signature is technically correct, but the library rejects it.