Skip to main content

FAQ's

Why isn't there a built-in verifyToken() method?

The OAuth 2.0 specification intentionally leaves token validation up to individual implementations because different applications have different requirements for:

  • Scope checking
  • Audience validation
  • Custom business logic
  • Performance considerations

How do I validate OAuth access tokens in my application?

There are two main methods for validating OAuth access tokens:

Option 1: JWT + Repository Check

This approach combines JWT signature verification with a database check for token revocation:

async function validateToken(accessToken: string) {
  // Verify JWT signature and decode
  const decoded = await jwtService.verify(accessToken);
  
  // Check if token exists and isn't revoked using the jti claim
  const storedToken = await accessTokenRepository.getByAccessToken(decoded.jti);
  
  return storedToken && !isExpired(storedToken) ? { valid: true, decoded, storedToken } : { valid: false };
}

Option 2: Use the Introspection Endpoint

The OAuth library provides an /introspect endpoint (RFC 7662) that handles validation for you. You can either:

  • Expose it and call it from your middleware
  • Use the same logic internally by calling authorizationServer.introspect() directly

This method handles both JWT verification and token status checking automatically.

Common Errors

Unsupported grant_type

Check if you're enabling the desired grant type on the AuthorizationServer. See https://tsoauth2server.com/docs/authorization_server/#enabling-grant-types for more.

import {AuthorizationServer} from "@jmondi/oauth2-server";

const authorizationServer = new AuthorizationServer(...);
authorizationServer.enableGrantType({ grant: "password" ... });

Client has been revoked or is invalid

Check the OAuthClientRepository#isClientValid method, it is returning false.