Once Corbado is integrated into your frontend, users can log in using passkeys. Upon successful login, they will receive a session-token.

By default, this session-token is stored in a cookie and sent to your backend with every request (if same-origin; refer to session-token handling for more details).

To verify if a user is authenticated and to retrieve user data, you must validate the session-token in your backend. The official SDK for your language facilitates this process with its validateToken() (or similar) function.

Token Validation

The session-token is a JWT that requires validation. The validateToken() (or similar) function performs the following tasks:

  • Verifies the JWT signature using Corbado’s public keys (JWKS).
  • Checks the token’s expiration, validity, and other claims.
  • Returns the decoded claims if the token is valid, or throws an error if it is not.

Implementation

Below is an example of how to use the validateToken() function. As previously mentioned, by default, the session-token is stored in a cookie and sent to your backend. You will need to retrieve this cookie based on the HTTP framework you are using.

You can find instructions for installing and initializing the Corbado Node.js SDK in the official README.

// Initialize SDK with your project ID, API secret, frontend API URL, and backend API URL
const config = new Config("<Your Project ID>", "<Your API secret>", "<Your Frontend API URL>", "<Your Backend API URL>");
const sdk = new SDK(config);

// Retrieve session-token (e.g., from a cookie or header)
const sessionToken = '...';

// Validate session-token
const user = await sdk.sessions().validateToken(sessionToken);

console.log(user.userId);

Why is this important?

  • Ensures only valid, untampered tokens are accepted.
  • Protects your backend endpoints from unauthorized access.
  • Handles key rotation and validation logic for you.

For more details, see the Corbado Node.js SDK documentation.

Find a full tutorial on how to implement passkeys in our blog post.