We’re migrating our Android app’s auth flow to handle Web Messaging sessions more securely. The plan is to offload the initial implicit grant token validation to a React-based admin dashboard for audit logging before passing the session ID back to the native Kotlin layer.
The issue is verifying the access_token JWT structure returned from the Genesys Cloud implicit flow. I’m using jwt-decode in the React component, but the payload claims don’t match the standard OpenID Connect expectations I’m used to. Specifically, the aud claim is empty, and the sub is a UUID that doesn’t immediately map to the user object I fetch via /api/v2/users/me.
Here’s the decode output I’m seeing in the console:
{
"sub": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"iss": "https://api.mypurecloud.com",
"aud": "",
"exp": 1698765432,
"iat": 1698761832,
"scope": "webmessaging:send",
"client_id": "my-app-client-id"
}
I’m trying to validate the signature using the public keys from https://api.mypurecloud.com/oauth/token JWKS endpoint, but the kid in the header isn’t matching any of the keys returned. Is there a specific endpoint for Web Messaging JWT validation that differs from the standard OAuth2 flow? Or am I missing a step in extracting the correct public key for this specific grant type?
I’ve tried fetching the JWKS and looping through the keys to verify the signature with jose library, but it keeps throwing ERR_JWS_VERIFICATION_FAILED. The token itself works fine when passed to the Android SDK’s WebMessagingClient.connect(), so the token is valid, but I can’t verify it server-side or in the React app before the handoff.
Any pointers on the correct JWKS URL or validation logic for these specific tokens?