JWKS Endpoint
Use the JSON Web Key Set below to verify JWTs signed by HomeBinder's KMS-backed signing keys.
JWKS URL
https://s3.us-east-1.amazonaws.com/homebinder.com/.well-known/jwks/current.json
Also available at: https://tokens.testing.homebinder.com/.well-known/jwks.json (cached, CORS-enabled)
Node.js Implementation
Always enforce
issuer and audience — without these, tokens intended for other apps or from a different environment could be accepted.This is the tokens.testing.homebinder.com environment. Only accept issuers from this environment.
import { createRemoteJWKSet, jwtVerify } from "jose";
const JWKS_URL = "https://tokens.testing.homebinder.com/.well-known/jwks.json";
const jwks = createRemoteJWKSet(new URL(JWKS_URL));
// Configure for your environment and app:
const ACCEPTED_ISSUERS = ["https://sso.testing.homebinder.com", "https://tokens.testing.homebinder.com"];
const ACCEPTED_AUDIENCE = "https://api.homebinder.com"; // replace with your app's audience
export async function verifyToken(token) {
const { payload } = await jwtVerify(token, jwks, {
issuer: ACCEPTED_ISSUERS,
audience: ACCEPTED_AUDIENCE,
});
return payload;
}
// Usage:
// const token = req.headers.authorization?.replace("Bearer ", "");
// const user = await verifyToken(token);
// console.log(user.sub, user.email, user.role);Install the jose library:
npm install joseCommon Token Claims
Claims vary by token type. These are the standard fields you can expect:
| Claim | Type | Description |
|---|---|---|
iss | string | Issuer — must be "https://sso.testing.homebinder.com" (SSO) or "https://tokens.testing.homebinder.com" (M2M) for this environment |
sub | string | Subject identifier (user ID, service name, etc.) |
iat | number | Issued at (Unix timestamp) |
exp | number | Expiration (Unix timestamp) |
jti | string | Unique token ID |
SSO Tokens
email | string | User's email address |
name | string | Display name |
role | string | App-specific role (admin, viewer, user) |
scope | string | Space-separated scopes (e.g. "read write") |
app_id | string | The app this token was issued for |
M2M / Service Tokens
client_id | string | Service identifier |
type | string | "m2m" |
token_type | string | "m2m" or "long-lived" |
Details
- Algorithm:
EdDSA(Ed25519) - Keys are managed by AWS KMS — private keys never leave the HSM
- JWKS is cached by the
joselibrary and refreshed automatically - Keys are rotated periodically — always verify against the live JWKS, never hardcode public keys