JWT Verification

Allegro issues signed JSON Web Tokens (JWTs) for every member session. Because these tokens are signed with an asymmetric RS256 key, you can verify them in your own infrastructure — AWS API Gateway, Cloudflare Workers, custom middleware — without any shared secret.

Token Structure

Every Allegro JWT has the following standard claims:

Claim	Description
iss	Issuer — your tenant domain (e.g. https://example.com)
aud	Audience — same as iss
sub	Subject — the member's UUID
iat	Issued at (Unix timestamp)
exp	Expires at (Unix timestamp, 1 year from issue)
jti	Unique token ID (UUID v4)

In addition, Allegro includes these custom claims:

Claim	Description
authenticated	true if the member has completed authentication
session.id	UUID of the AudienceDeviceSession
session.authenticated_at	ISO 8601 timestamp of when the session was authenticated
audience_member	Full member object (id, email, name, email_verified, …)
products	Array of product slugs the member currently holds active entitlements for

OIDC Discovery

Allegro exposes a standard OpenID Connect discovery document:

GET https://<your-tenant-domain>/.well-known/openid-configuration

This returns the issuer, JWKS URI, and supported algorithms. Most OIDC-aware services read this endpoint automatically.

JWKS Endpoint

Public keys used to verify token signatures are available at:

GET https://<your-tenant-domain>/.well-known/jwks.json

The response is a standard JWK Set containing one or more RSA public keys. Multiple keys may appear during key rotation — consumers must select the key matching the kid in the token header.

Example: AWS API Gateway JWT Authorizer

1. In your API Gateway HTTP API, add a JWT authorizer.
2. Set Issuer to your tenant domain: https://<your-tenant-domain>
3. Set Audience to your tenant domain: https://<your-tenant-domain>
4. Set JWKS URI to: https://<your-tenant-domain>/.well-known/jwks.json

AWS will automatically fetch the public keys and verify incoming tokens. No secret sharing required.