Hi @snb,

Could you please confirm that you’re using your Signing Secret and not your Client Secret to decode the jwt?

You can find your Signing Secret in your App configuration page.

Yes, it worked, thank you. Meanwhile I have to add option

options={'verify_aud': False}

to “decode” function to make it work.

Hello there @snb,

I am glad that worked!

I did not understand what you said about adding verify_aud to the options object. Would you please elaborate?

Looking forward to hearing from you!

Cheers,

Matias

@Matias.Monday the JWT contains an “aud” element. This is the full URL to which monday sent the original request. When we receive a token, we can look at our headers and determine to what URL the request was sent (or if someone is daring enough to hard code it into their code…)

We can pass this URL as follows (node.js)

jwt.verify(authHeader, secretKey, { audience: url })

Doing so, jwt.verify also checks that the token was sent by monday to the URL in question. I use it in my auth stage, as just a tiny bit of extra checking. Obviously an issue if you use redirects.

Now just if the expiration timestamp in the jwt wasnt several minutes after the one in the shortLivedToken which is when the API server starts rejecting the token. So I have to also verify the slt to get the real expiration time, so I can reject the request if the slt is too close to becoming invalid to complete execution of the scenario.

My code is:

data = jwt.decode(token, MY_SIGNING_SECRET, algorithms=['HS256', 'SHA256', 'RSASSA', 'HMAC'], options={'verify_aud': False})

yes, thats for python, i was just giving matias a node example and explanation.

Just checking – @snb did you get this working in the end? Seems like yes, but wanted to confirm 🙂