Hey everyone,
We’re hitting a wall trying to validate the JWT token returned from the Genesys Cloud implicit grant flow in our React frontend. We’ve got the token, and it looks valid visually, but when we try to verify it using the public keys from the JWKS endpoint, we keep getting an “invalid signature” error.
Here’s the flow:
- User logs in via Genesys OAuth.
- We get the
id_tokenin the URL fragment. - We fetch the JWKS from
https://api.mypurecloud.com/oauth/jwks. - We use
jose(Node.js style in React via Vite) to verify the token.
The code:
import { jwtVerify, importJWK } from 'jose';
async function verifyToken(token) {
try {
const jwksUrl = 'https://api.mypurecloud.com/oauth/jwks';
const response = await fetch(jwksUrl);
const jwks = await response.json();
// Decode header to get kid
const header = JSON.parse(atob(token.split('.')[1]));
const key = jwks.keys.find(k => k.kid === header.kid);
if (!key) {
throw new Error('Key not found');
}
const publicKey = await importJWK(key, 'RS256');
const { payload } = await jwtVerify(token, publicKey);
return payload;
} catch (err) {
console.error('Token verification failed:', err.message);
throw err;
}
}
The error we get is:
Token verification failed: invalid signature
We’ve checked the alg in the header, and it’s RS256. The kid matches one of the keys in the JWKS response. We’re also setting the aud option in jwtVerify to our client ID.
Is there something specific about Genesys’s JWT structure that we’re missing? Or is the JWKS endpoint returning keys that don’t match the token’s signing key? We’ve tried multiple tokens, and the issue persists.
Any ideas?