Backend Integration
AM exposes public keys via JWKS and configuration via OIDC discovery—standard protocols that any JWT library can use.
Verify tokens locally, trust the claims, and authorize requests.
Token Verification Flow
Endpoints
| Endpoint | Purpose |
|---|---|
/.well-known/jwks.json?client_id=... | Public signing keys |
/.well-known/openid-configuration?client_id=... | OIDC discovery document |
/oauth2/introspect | Refresh token introspection |
JWKS
Retrieve public keys for local verification. The client_id query parameter is required:
GET /.well-known/jwks.json?client_id=cid_...{
"keys": [
{
"kty": "RSA",
"use": "sig",
"kid": "key_...",
"alg": "RS256",
"n": "0vx7agoebG...",
"e": "AQAB"
}
]
}Multiple keys may be present during rotation. Match by kid claim in JWT header.
OIDC Discovery
Auto-configure clients with the discovery document:
GET /.well-known/openid-configuration?client_id=cid_...Returns endpoints, supported algorithms, and capabilities per OpenID Connect Discovery spec.
JWT Claims
Verified tokens contain:
| Claim | Description |
|---|---|
iss | Issuer URL |
sub | Subject (user ID or client ID) |
aud | Intended audience |
exp | Expiration (Unix timestamp) |
iat | Issued at (Unix timestamp) |
scope | Granted permissions |
cid | Client ID |
app | Application ID |
acc | Current account ID |
uid | User ID (when user-authenticated) |
role | Role in current account |
Caching
- Cache JWKS responses (use ETag/If-None-Match)
- Refresh on signature verification failure (key rotation)
- Typical TTL: 1 hour
Token Introspection
For refresh tokens or when you need authoritative validation:
POST /oauth2/introspect
Content-Type: application/x-www-form-urlencoded
token=...&client_id=...&client_secret=...Returns active: true/false and token claims. Access tokens are JWTs and should be verified locally via JWKS when possible.
Related
- OAuth - Token issuance
- Clients - Client configuration
- Client Key - Signing keys