We are migrating our internal dashboard to a React frontend and need to validate the JWT tokens received via the implicit grant flow. The current setup uses the Platform SDK for authentication, which handles the token refresh and validation internally. However, for this specific microservice, we decided to manage the tokens manually to reduce bundle size. The issue arises when we try to validate the token signature in the browser. Genesys Cloud uses RS256, so we need to fetch the JWKS from https://login.us.genesys.cloud/oauth2/.well-known/jwks.json.
The problem is that the kid (Key ID) in the token header often does not match any key in the JWKS response we receive. We are seeing a kid like abc123 in the token, but the JWKS payload contains keys with IDs like xyz789. This causes the signature verification to fail consistently. We have tried fetching the JWKS multiple times, but the keys seem to rotate or mismatch. Is there a specific endpoint or header we need to include when requesting the JWKS? Or is there a known delay in key propagation?
Here is the validation logic we are using:
import jwt from 'jsonwebtoken';
const validateToken = async (token) => {
const response = await fetch('https://login.us.genesys.cloud/oauth2/.well-known/jwks.json');
const jwks = await response.json();
const header = jwt.decode(token, { complete: true });
const key = jwks.keys.find(k => k.kid === header.header.kid);
if (!key) {
throw new Error('Key not found');
}
// Verification logic...
};
The error thrown is always “Key not found”. We have confirmed the token is valid by using it in a direct API call with the SDK. The token structure looks correct, with the standard iss, sub, and aud claims. The aud claim matches our client ID. We are running this in a standard create-react-app environment. Any insights on why the kid mismatch occurs? We have checked the token expiration, and it is well within the validity period. The timezone is set to Europe/Berlin, so we are not dealing with any UTC drift issues. We need a reliable way to validate these tokens client-side.