noauth.sh docs

English

Spanish

English

Spanish

Access Token

In noauth.sh, an access token or accessToken is a JWT (JSON Web Token) that is generated when a user successfully authenticates after using signin or remoteSignin.

This token allows you to authorize your users' requests on your server. You can use it as an access filter (gatekeeper) in your API or as an exchange mechanism to establish a session cookie.

Validate access token

Example of token validation in different languages.

On your server:

javascript
import jwt from "jsonwebtoken";

function authenticate(accessToken) {
  try {
    const { email } = jwt.verify(accessToken, SECRET_KEY);
    // ...other validations and session management using the email
  } catch (error) {
    // invalid or expired token
    throw new Error("Invalid token", error.message);
  }
}
python
import jwt

def authenticate(access_token):
  try:
    decoded = jwt.decode(access_token, SECRET_KEY, algorithms=["HS256"])
    email = decoded["email"]
    # ...other validations and session management using the email
  except jwt.InvalidTokenError as e:
    # invalid or expired token
    raise Exception(f"Invalid token: {str(e)}")
php
<?php
use Firebase\JWT\JWT;
use Firebase\JWT\Key;

function authenticate($accessToken) {
  try {
    $decoded = JWT::decode($accessToken, new Key(SECRET_KEY, 'HS256'));
    $email = $decoded->email;
    // ...other validations and session management using the email
  } catch (Exception $e) {
    // invalid or expired token
    throw new Exception("Invalid token: " . $e->getMessage());
  }
}
ruby
require 'jwt'

def authenticate(access_token)
  begin
    decoded = JWT.decode(access_token, SECRET_KEY, true, { algorithm: 'HS256' })
    email = decoded[0]['email']
    # ...other validations and session management using the email
  rescue JWT::DecodeError => e
    # invalid or expired token
    raise "Invalid token: #{e.message}"
  end
end
go
import (
  "errors"
  "github.com/golang-jwt/jwt/v5"
)

func authenticate(accessToken string) error {
  token, err := jwt.Parse(accessToken, func(token *jwt.Token) (interface{}, error) {
    if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
      return nil, errors.New("unexpected signing method")
    }
    return []byte(SECRET_KEY), nil
  })

  if err != nil || !token.Valid {
    // invalid or expired token
    return errors.New("invalid token: " + err.Error())
  }

  if claims, ok := token.Claims.(jwt.MapClaims); ok {
    email := claims["email"].(string)
    // ...other validations and session management using the email
  }

  return nil
}

TIP

You can find the SECRET_KEY value in your application settings.

IMPORTANT

Remember to store your SECRET_KEY in environment variables and never expose it in your source code.