Skip to main content

Hi there,


I have a simple backend for my app and I want to validate whether the request has come from a valid authenticated Monday user.


From the frontend I get the session token:


monday.get("sessionToken").then((res) => {...})

And then, I use that token to send the request to my backend. In the NodeJS backend I then verify this JWT token using my Signing Secret:


jwt.verify(tokenFromClient, MONDAY_SIGNING_SECRET)

Turns out this doesn’t work and I get “invalid signature”. However, if I use the Client Secret instead, then it works fine.


Am I misunderstanding anything? I thought that in order to validate in the backend if the request is valid, I should use the signing secret to validate the token. Or am I using the wrong token for this?


Thank you.

Hey @v-appgami ,


can you try it like this:


jwt.verify(



      tokenFromClient,



      process.env.MONDAY_SIGNING_SECRET

)


Tell me if that helped.

Hi @TMNXT-Dev,


That doesn’t change the result. I wasn’t using the environment variable just because I was trying. You can consider I had the correct keys on the MONDAY_SIGNING_SECRET variable that I mentioned on the original question.


The point is: is it expected to be able to verify the JWT token in the backend that I got from monday.get("sessionToken") using the Client Secret, or it should work with the Signing Secret instead?


Thank you.

Hey there @v-appgami 👋 Thanks for raising this question and providing context to what you are trying to achieve, as well as the issues you are having in the process. That really helps 🙂


@TMNXT-Dev thanks for jumping in and sharing your expertise! I appreciate the help.


That said, @v-appgami - this is something I’ll have to check over with the team and then get back to you as soon as I get further updates from them. I hope that works for you!


-Alex

@v-appgami


This is the correct behaviour (at least from what I have been told by the dev team).


The session token is encoded using your apps Client Secret.

Brilliant, thank you @mitchell.hudson!

Terms & ConditionsCookie settings