We’re building a React frontend that uses the Genesys Cloud implicit grant flow. The goal is to keep the user session active without hitting the backend for every single API call, so we’re validating the JWT locally using jose (v5).
The token comes back fine from the /authorize endpoint. I can decode it and see the claims. But when I try to verify the signature against the JWKS from https://api.mypurecloud.com/oauth/jwks, it throws a JWSError: Unable to find a key with the specified kid.
Here’s the verification logic:
import { importJWK, jwtVerify, exportJWK } from 'jose';
async function validateToken(token: string) {
const jwksUrl = 'https://api.mypurecloud.com/oauth/jwks';
const response = await fetch(jwksUrl);
const jwks = await response.json();
// Find the key matching the token's header
const header = JSON.parse(atob(token.split('.')[1]));
// Wait, that's the payload. Header is index 0.
const headerParts = token.split('.')[0];
const decodedHeader = JSON.parse(atob(headerParts));
const keyPair = jwks.keys.find(k => k.kid === decodedHeader.kid);
if (!keyPair) {
console.error('Key not found for kid:', decodedHeader.kid);
throw new Error('Key mismatch');
}
const publicKey = await importJWK(keyPair, 'RS256');
const { payload } = await jwtVerify(token, publicKey);
return payload;
}
The kid in the token header is GC-PROD-KEY-1. The JWKS endpoint returns keys, but none of them have that exact kid. They have things like abc123-def456.
Is the implicit grant using a different signing key than the standard OAuth2 endpoints? Or am I fetching the wrong JWKS URL? The docs are vague on this specific mismatch. I’ve tried using the public key from the /.well-known/openid-configuration endpoint as well, same result. No kid match.
This feels like a config issue on our side, but the token is signed by Genesys, so I’m stuck. Any ideas on how to map these keys?