# JWT Verification

Allegro issues signed JSON Web Tokens (JWTs) for every member session. Because these tokens are signed with an asymmetric RS256 key, you can verify them in your own infrastructure — AWS API Gateway, Cloudflare Workers, custom middleware — without any shared secret.

## Token Structure[​](#token-structure "Direct link to Token Structure")

Every Allegro JWT has the following standard claims:

| Claim | Description                                              |
| ----- | -------------------------------------------------------- |
| `iss` | Issuer — your tenant domain (e.g. `https://example.com`) |
| `aud` | Audience — same as `iss`                                 |
| `sub` | Subject — the member's UUID                              |
| `iat` | Issued at (Unix timestamp)                               |
| `exp` | Expires at (Unix timestamp, 1 year from issue)           |
| `jti` | Unique token ID (UUID v4)                                |

In addition, Allegro includes these custom claims:

| Claim                      | Description                                                               |
| -------------------------- | ------------------------------------------------------------------------- |
| `authenticated`            | `true` if the member has completed authentication                         |
| `session.id`               | UUID of the `AudienceDeviceSession`                                       |
| `session.authenticated_at` | ISO 8601 timestamp of when the session was authenticated                  |
| `audience_member`          | Full member object (id, email, name, email\_verified, …)                  |
| `products`                 | Array of product slugs the member currently holds active entitlements for |

## OIDC Discovery[​](#oidc-discovery "Direct link to OIDC Discovery")

Allegro exposes a standard OpenID Connect discovery document:

```text
GET https://<your-tenant-domain>/.well-known/openid-configuration

```

This returns the issuer, JWKS URI, and supported algorithms. Most OIDC-aware services read this endpoint automatically.

## JWKS Endpoint[​](#jwks-endpoint "Direct link to JWKS Endpoint")

Public keys used to verify token signatures are available at:

```text
GET https://<your-tenant-domain>/.well-known/jwks.json

```

The response is a standard [JWK Set](https://www.rfc-editor.org/rfc/rfc7517) containing one or more RSA public keys. Multiple keys may appear during key rotation — consumers must select the key matching the `kid` in the token header.

## Example: AWS API Gateway JWT Authorizer[​](#example-aws-api-gateway-jwt-authorizer "Direct link to Example: AWS API Gateway JWT Authorizer")

1. In your API Gateway HTTP API, add a JWT authorizer.
2. Set **Issuer** to your tenant domain: `https://<your-tenant-domain>`
3. Set **Audience** to your tenant domain: `https://<your-tenant-domain>`
4. Set **JWKS URI** to: `https://<your-tenant-domain>/.well-known/jwks.json`

AWS will automatically fetch the public keys and verify incoming tokens. No secret sharing required.