Token Verification

Depending on where in your back-end application you need to verify the token (also known as an access token), you may need to do so.

For instance, some server applications check the Authorization header for each request (typically via middleware) and only allow access to the resource if the check passes.

Here is a sample curl for token verification:

curl --request POST ``` \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header 'Api-Key: cf47d697-cc0b-4262-8329-78a0995e6fd0' \
--header 'Signature: eyJoYXNoIjoiY2JhZGZmOTJmYmU1ODAyZTUyZDJlNzg0NjViNjIzMWE0M2RmZjIxNGQwMzA3ZWU4MzRmZGZlNmE5ODA2MmQ1OCIsInNhbHQiOiJoWDhqQTMxa00ifQ=='
--data-raw '{
    "bearer": "01835fd6ad5672e5944bbfe74bedd5e376aba016149b4b92a7efc397d78c6fbe"
    "token": {
        "token": "01835fd6ad5672e5944bbfe74bedd5e376aba016149b4b92a7efc397d78c6fbe",
        "scopes": [
        "user_id": "sandbox-user",
        "client_id": "sandbox",
        "expires_at": "2023-12-08T21:52:46-05:00"

💡️ Tip

Tokens generated by SSOfy are sortable.

In the above example, we make a POST request to This is the URL we need to request in order to verify tokens. The initial part of the URL may differ based on the application region. Replace it with the API domain of your application.

bearer, which is the token that needs to be verified, is contained in the message body's json payload.

Content-Type: application/json

Specifying the format of our request body (json in our case).

Accept: application/json

Emphasize the need for a json response.

Api-Key: cf47d697-cc0b-4262-8329-78a0995e6fd0

API Key for your application provided on the application edit page.

Signature: eyJoYXNoIjoiY2JhZGZmOTJmYmU1ODAyZTUyZDJl...

Base64 encoding of the signature and salt generated for the request. More Info

SSOfy replies with a JSON payload with the details of the authorization. The scopes property contains a list of all the permissions the user has granted throughout the authorization process.

expires_at indicates when the token will expire. When caching a token, be sure to set a ttl (expiration time) that is equal to or less than this value.

The Signature header, which should be verified for enhanced security, is also included in the response headers.

SSOfy can send an event to the designated event URL to alert your application when a token is deleted.

The performance of your token verification will therefore be improved if you consider using a cache mechanism to lower the number of times you need to repeatedly access the SSOfy server. You might also benefit from saving account triggers.

Simply invalidate your cached state after receiving a token delete event.

⚠️ Warning

When a token expires, SSOfy doesn't trigger any events. The cache key's expiration period must always be configured to be equal to (or less than) the token's.

ssofy Knowledge Base
At our core, we believe that staying up-to-date with the latest trends and advancements in Authentication and related areas is essential. That's why we take great pride in keeping you informed with the latest insights, updates, and news in this rapidly evolving landscape.

Do you need support?
SSOfy is by Cubelet Ltd.
Copyright © 2024 Cubelet Ltd. All rights reserved.