Cotter
  • 🚀Getting Started
  • Features & Concepts
    • 💬Sign In with Email/Phone Number
    • 🔐Sign In with Device
      • How it works
    • 🧬Sign In with WebAuthn
  • 📌Quickstart Guides
    • All Guides & Tutorials
    • HTML – Sign in with Email/Phone
    • React – Sign in with Email/Phone
    • React – WebAuthn
    • ▲ Next.js
    • Angular
    • Webflow
    • Bubble.io
    • Python SDK for a CLI
    • React Native – Sign in with Device
    • iOS – Sign in with Device
    • Flutter – Sign in with Device
  • 📘SDK Reference
    • Web
      • Sign In with Email/Phone Number
        • Customize the Form
        • Checking the email or phone before sending a verification code
        • Sending Code or Link via WhatsApp
        • Styling
        • Older SDK
          • Customize the Form
      • Sign in with Social Login
        • Getting Access Tokens from Social Login Providers
        • Github Instructions
        • Google Instructions
      • Sign In with WebAuthn
        • Register WebAuthn for a logged-in user
      • Sign In with Device
        • Steps for Pop Up Authentication Prompt
        • Advanced Customization for Login Form
        • Advanced Customization for Pop Up Authentication Prompt
      • Getting Access Token and Logged-In User Info
      • Sending Successful Form Submission
      • FAQ & Troubleshooting
    • React Native
      • Installation
      • Sign In with Device
        • Add Email/Phone Verification
        • Authenticate from a Non-Trusted Device
        • Add a new Trusted Device
        • Remove Trusted Device
      • Sign In with Email/Phone Number
      • Getting Stored OAuth Tokens and User Information
      • FAQ
      • Older SDK Versions
        • Sign in with Email/Phone
        • Sending Code via WhatsApp
        • Sign In with Device
          • Authenticate from a Non-Trusted Device
          • Add a new Trusted Device
          • Customization
    • Flutter
      • Sign In with Device
        • Add Email/Phone Verification
        • Authenticate from a Non-Trusted Device
      • Sign in with Email/Phone Number
      • Getting the Logged-in User
      • Getting OAuth Tokens
      • Signing a User Out
    • iOS
      • Sign In with Email/Phone Number
      • Sign In with Device
        • Authenticate from a Non-Trusted Device
        • Push Notification
        • Check if Trusted Device is Enrolled
        • Add a New Trusted Device
        • Remove Trusted Device
      • Older Versions
        • Biometric/Pin
    • Android
      • Sign In with Device
        • Authenticate from a Non-Trusted Device
        • Check if Trusted Device is Enrolled
        • Add a new Trusted Device
        • Remove Trusted Device
        • Customization
      • Sign In with Email/Phone Number
      • Biometric/Pin
        • Advanced Methods
        • Customization
        • Setting Strings
        • Styling
      • Older SDK Version
        • Sign In with Device
          • Authenticate from a Non-Trusted Device
    • Python (for CLI)
    • API for Other Mobile Apps or CLI
      • Verify Email/Phone Number
        • Handling URL Scheme
    • Backend: Handling Response
  • 🛡️ Protecting Your Account
    • Only Allow Your Website/App to Use Your API Key
    • Rate Limit
    • Enable reCAPTCHA to Protect Against Automated Abuse
  • 🗝️ Getting Access Token
    • Cotter's OAuth 2.0 Tokens Specification
    • Getting the Tokens
      • Get Tokens during Authentication
      • Using the Refresh Token
    • Storing and Removing Tokens
    • Renewing Expired Tokens
    • Verifying JWT Tokens
    • Requesting Custom Fields on your JWT Token
    • Older API
      • Using HTTP Requests
      • Getting the Tokens
        • During Authentication
          • During Email/Phone Verification
        • During enrolling Trusted Devices
  • 🔌API Reference
    • User API
      • User Object
    • OAuth Tokens API
      • Verify JWT Token using API (serverless)
      • Requesting Custom Claims on your Access Token
      • Older API
    • OAuth Tokens from Social Login
    • Event Object
    • Reset PIN API
  • Older API
    • Validating Cotter's Identity Token
    • Validating Cotter's Event Response
Powered by GitBook
On this page
  1. API Reference
  2. OAuth Tokens API

Verify JWT Token using API (serverless)

If you don't have a backend server, for example, if you're using Webflow, we have provided an API endpoint to validate the access token from Cotter.

Verify JWT Token from Cotter

POST https://worker.cotter.app/verify

If you don't have a server to verify Cotter's JWT token, you can do so by calling this API.

Headers

Name
Type
Description

API_KEY_ID

string

Your "API_KEY_ID". It's recommended to include your API KEY ID so it validates that the token is made for your project.

Content-Type

string

application/json

Request Body

Name
Type
Description

oauth_token

object

The `oauth_token` object that is returned by Cotter's Response. It should have an attribute called `access_token` with the access token that you want to verify.

// For valid tokens: 
{
    "success":true 
}

// If there's a problem:
{
    "success":false,
    "reason":"Error: Invalid JWT token"
}

Example HTTP Request:

POST https://worker.cotter.app/verify
Content-Type: application/json
API_KEY_ID: <YOUR API KEY ID>

{
    "oauth_token": {
        "access_token": "eyJhbGciOiJFUzI1Ni...",
        "id_token": "eyJhbGciOiJFUzI1NiIsIm...",
        "refresh_token": "55185:BjD1Hh8ea...",
        "expires_in": 3600,
        "token_type": "Bearer",
        "auth_method": "OTP"
    }
}

Example with Javascript:

<!--Get Cotter JS SDK-->
<script
    src="https://unpkg.com/cotter@0.3.16/dist/cotter.min.js"
    type="text/javascript"
></script>

<script>
  async function checkAccessToken() {
    // 1. Get the logged-in user's access token
    let cotter = new Cotter("API_KEY_ID"); // 👈 Specify your API KEY ID here
    let token = await cotter.tokenHandler.getAccessToken();
    var accessToken = token?.token;

    // 2. Construct the body
    let body = {
      oauth_token: {
        access_token: accessToken
      }
    };

    // 3. If user is logged in then we fetch the user data
    let url = "https://worker.cotter.app/verify";
    fetch(url, {
      method: "POST",
      cache: "no-cache",
      headers: {
        "Content-Type": "application/json",
        API_KEY_ID: "API_KEY_ID"   // 👈 Specify your API KEY ID here
      },
      mode: "cors",
      body: JSON.stringify(body)
    })
      .then((resp) => resp.json())
      .then((data) => {
        if (!data.success) {
          window.location.href = "/login"; // Redirect to your login page
        } else {
          console.log("Token is valid!");
        }
      });
  }
</script>
PreviousOAuth Tokens APINextRequesting Custom Claims on your Access Token

Last updated 4 years ago

🔌