# JWT structure & keys

# Access token

When a user signs up or logs in, they recieve a JWT access token in their browser as a cookie for your domain. Your application can use this token to authenticate and authorize the user.

The token's payload is:

  "userId": 99,
  "username": "someuser",
  "uuid": "3b22a243-7dd3-50a3-c9b4-9d1bbc96188b",
  "project": "PROJECT_ID",
  "authorization": "member",
  "createdAt": "2020-01-01T00:00:01.000Z",
  "confirmed": true,
  "isDev": false,
  "iat": 1593649607,
  "exp": 1596241607

This information is encoded into a JWT and added as a cookie named access.PROJECT_ID, where PROJECT_ID is your project's ID.


Your project ID is in the URL for your project: Project ID

In this example, the JWT cookie would be named access.n8bjqqx7

The actual JWT looks like this:


This is a signed JWT; you can learn about the signing process here.

# Signing keys

Your server can validate incoming JWTs with the signing keys for your project.

Visit Settings > JWT signing keys in your Userfront dashboard to see the production and development keys for your project:

JWT signing keys

These are the keys Userfront uses when creating your JWTs. Your application can use these keys to verify incoming JWTs.

Last Updated: 8/1/2020, 12:31:11 AM