Session Validation

Validate session tokens on your server or at the gateway — not in the browser or on the device. After a user signs in, your web or mobile client sends the session token to your API as described in Session management. Your backend (or an API gateway in front of it) must verify the token before serving protected resources.

Where to validateDescription
BackendValidate server-side on every API request. Recommended for all APIs and when enforcing roles and permissions from JWT claims.View
API gatewayValidate at the edge with AWS, Azure, GCP, or other JWT authorizers — no application code required.View

Client apps do not validate sessions

Web and mobile SDKs store tokens and attach them to API requests — see Session management. They do not authorize access; your server does.

For live claims on every request (roles, tenant, or custom attributes that may have changed since issuance), use Token introspection via the UserInfo endpoint in addition to local JWT validation.

For the session and refresh token model, see Sessions.

Was this helpful?

On this page