Running a React SPA that needs to auth against Genesys Cloud. We’re using the implicit grant flow because the legacy client won’t support PKCE right now. The token comes back fine in the URL fragment, but I need to validate the JWT on the client side before hitting any API endpoints. The issue is the standard jsonwebtoken library throws when trying to verify the signature because the public key isn’t static.
I tried fetching the JWKS from https://api.mypurecloud.com/.well-known/jwks.json. The response looks correct, containing the RSA public keys. I’m parsing the kid from the ID token header and matching it to the JWKS array. Here’s the verification logic:
const verifyToken = async (token) => {
const decoded = jwt.decode(token, { complete: true });
const headers = decoded.header;
const response = await fetch('https://api.mypurecloud.com/.well-known/jwks.json');
const jwks = await response.json();
const key = jwks.keys.find(k => k.kid === headers.kid);
try {
return jwt.verify(token, key, { algorithms: ['RS256'] });
} catch (err) {
console.error('Token verification failed', err);
return null;
}
};
The jwt.verify call fails with invalid signature. I’ve checked the exp claim, and the token is definitely not expired. The iss claim matches https://api.mypurecloud.com/oauth/token. I’m using the jose library now instead of jsonwebtoken to handle the PEM format conversion manually, but it still barfs on the signature check.
Is there a specific claim or header I’m missing? Or is the implicit grant token signed with a different key set than the standard authorization code flow? I can’t find any docs on client-side validation for this specific grant type. The SDK handles this internally, but I need the raw token payload for a third-party service integration. Any hints on the key format or verification step?