Local JWT decoding and asymmetric signature verification for Supabase Auth.
Supabase issues JWTs signed with either a symmetric secret (HS256, the
legacy default — not verifiable client-side) or an asymmetric key
(RS256 / ES256). For asymmetric algorithms the public keys are
published at <auth-url>/.well-known/jwks.json; this namespace fetches
and caches that JWKS and verifies signatures using the JDK's built-in
crypto, with no third-party dependency.
Callers should use supabase.auth/get-claims rather than these helpers
directly.
Local JWT decoding and asymmetric signature verification for Supabase Auth. Supabase issues JWTs signed with either a symmetric secret (`HS256`, the legacy default — not verifiable client-side) or an asymmetric key (`RS256` / `ES256`). For asymmetric algorithms the public keys are published at `<auth-url>/.well-known/jwks.json`; this namespace fetches and caches that JWKS and verifies signatures using the JDK's built-in crypto, with no third-party dependency. Callers should use [[supabase.auth/get-claims]] rather than these helpers directly.
(clear-cache!)Clears the process-global JWKS cache. Primarily for tests.
Clears the process-global JWKS cache. Primarily for tests.
(decode token)Splits and decodes a JWT into {:header :payload :signed-data :signature}
without verifying it. Returns an anomaly if the token is malformed.
Splits and decodes a JWT into `{:header :payload :signed-data :signature}`
without verifying it. Returns an anomaly if the token is malformed.(verify auth-url token)Verifies token against the JWKS published at auth-url and returns
{:claims <payload> :header <header>} on success, or an anomaly.
Only asymmetric algorithms (RS256, ES256) are verified here; callers
fall back to server-side verification for HS256.
Verifies `token` against the JWKS published at `auth-url` and returns
`{:claims <payload> :header <header>}` on success, or an anomaly.
Only asymmetric algorithms (`RS256`, `ES256`) are verified here; callers
fall back to server-side verification for `HS256`.(verify-with-keys jwks token)Like verify, but verifies against an already-resolved JWKS keys
vector instead of fetching one. Network-free.
Like [[verify]], but verifies against an already-resolved JWKS `keys` vector instead of fetching one. Network-free.
cljdoc builds & hosts documentation for Clojure/Script libraries
| Ctrl+k | Jump to recent docs |
| ← | Move to previous article |
| → | Move to next article |
| Ctrl+/ | Jump to the search field |