Skip to main content

Manual/DIY

If you don't use any of the supported frameworks, you can still use Qloud Network by manually checking the JWT we send your application backend.

The JWT you receive is signed with the HS256 algorithm, i.e. it is signed with a shared secret key. The key can be found on our Dashboard (respectively it is 00000000000000000000000000000000 when using our Local Development environment).

The JWT is sent as cookie, __q__token__.

Steps to verify the JWT:

  1. Extract the JWT from the __q__token__ cookie
  2. Ensure that the JWT uses the HS256 algorithm! JWTs have a known weakness when using the none algorithm. We never use this algorithm, so if you see it, it is a sign that the JWT is invalid.
  3. Check the signature of the JWT using the shared secret key
  4. If the token is valid, you can trust the claims of the token
  5. If the token is not present or invalid, you can deny access to the user, either by accepting the request as anonymous request, or by redirecting the user to the login page.

Remember that the __q__token__ cookie is set by our proxy server, the __q__token__ cookie received by the user's browser is a different one (using RS256 algorithm) and cannot be processed directly by your application backend (see our documentation on the JWT exchange).

jwt.io and awesome-jwt are great places to search for good libraries to verify JWTs.

Please, also let us know about the framework you're using, so we can add it to our list of supported frameworks (support@qloud.network).