Token Verification

When your frontend sends a request with a SpartanAuth JWT, your backend must verify it before trusting it. SpartanAuth provides an introspection endpoint for this — one HTTP call is all it takes.

Caution

Never trust the JWT on the client side for authorization decisions. Anyone can decode a JWT — decoding is not verification. Always verify server-side.

The introspection endpoint

POST https://api.spartanauth.com/api/v1/introspect
Content-Type: application/json

{"token": "<jwt>"}

Response: valid token (HTTP 200)

{
  "sub": "3f2a8c1d-...",
  "username": "[email protected]",
  "sectorID": "a1b2c3d4-...",
  "isAdmin": false,
  "exp": "1717000000",
  "iat": "1716996400"
}

Response: invalid or expired token (HTTP 401)

Any non-200 response means the token should be rejected.

Note

exp and iat are quoted strings, not JSON numbers. This is due to protobuf’s JSON serialization of int64 to avoid JavaScript precision loss. Your client code must handle this — see the Go example.

Sending the token from the frontend

After the spartan-login event fires, read the JWT from localStorage and include it in all API calls:

async function apiFetch(path: string, options: RequestInit = {}) {
  const token = localStorage.getItem('spartan-token');
  return fetch(path, {
    ...options,
    headers: {
      ...options.headers,
      ...(token ? { Authorization: `Bearer ${token}` } : {}),
      'Content-Type': 'application/json',
    },
  });
}

Verifying with curl (for testing)

curl -X POST https://api.spartanauth.com/api/v1/introspect \
  -H "Content-Type: application/json" \
  -d '{"token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..."}'

Language-specific examples

• Go backend with gRPC interceptor →
• Traefik ForwardAuth (no code required) →