This little tool generates Google-signed JWTs which you can use to protect your API endpoints.
Only send this JWT to your own systems. Do not send this JWT to anyone or any system that you do not trust. Do not display the JWT in public until it is expired. Anyone with access to this JWT can impersonate you throughout the token’s lifespan. This JWT expires after issuance. Once it expires, you must get a new token.
The JWTs generated by this tool are OpenID Connect ID tokens that are cryptographically signed by Google. They can be verified using Google’s JSON Web Key Set.
In Node.js, you can use the jose package to verify the JWT.
import { createRemoteJWKSet, jwtVerify } from 'jose'
const issuer = 'https://accounts.google.com'
const keySetUrl = new URL('https://www.googleapis.com/oauth2/v3/certs')
const audience = '413915959575-0i3lqth0o4b07k6v7e1ssar6kg4n52uk.apps.googleusercontent.com'
const keySet = createRemoteJWKSet(keySetUrl)
function validate(jwt) {
return jwtVerify(jwt, keySet, { issuer, audience })
}
const result = await validate('eyJhb.....')
console.log(result)
Once the JWT’s authenticity has been verified, you can protect your
endpoints by checking
result.payload.email against your allowlist.