> For the complete documentation index, see [llms.txt](/llms.txt). # JWT errors warning To ensure proper authentication with Embedded Wallets, the JWT header must provide the `kid` field, while the payload data must provide the `iat` field. When configuring Embedded Wallet's custom authentication, you may encounter JWT errors. Below is a list of these errors and the necessary steps to resolve them: - [Invalid JWT verifiers ID field](#invalid-jwt-verifiers-id-field): Error occurred while verifying params could not verify identity - [Failed to verify JWS signature](#failed-to-verify-jws-signature): Error occurred while verifying params unable to verify JWT token - [Duplicate token](#duplicate-token): Could not get result from [Torus nodes](/embedded-wallets/infrastructure/nodes-and-dkg/), duplicate token found - [Expired token](#expired-token): Error occurred while verifying the parameter's time signed is more than 1m0s ago - [Mismatch JWT Validation field](#mismatch-jwt-validation-field) - [Refresh Tokens?](#refresh-tokens-not-supported) ## Invalid JWT verifiers ID field[​](#invalid-jwt-verifiers-id-field "Direct link to Invalid JWT verifiers ID field") ### Error occurred while verifying params could not verify identity[​](#error-occurred-while-verifying-params-could-not-verify-identity "Direct link to Error occurred while verifying params could not verify identity") "Error occurred while verifying params could not verify identity" can arise when the `verifierIdField` of `extraLoginOptions` is different from the one you have set up during the creation of Verifiers (JWT Verifiers ID) on the Embedded Wallets dashboard. note This is the **JWT Verifiers ID** field on the **Verifier Modal** of the Embedded Wallets dashboard: ![JWT Verifier ID - Troubleshoot](/assets/images/jwt-verifier-id-2ca6895369cc752a6db92b9457bba7d5.png) Ensure, this matches your code: ``` import { WALLET_ADAPTERS, CHAIN_NAMESPACES } from '@web3auth/base' await web3auth.connectTo(WALLET_ADAPTERS.AUTH, { loginProvider: 'jwt', extraLoginOptions: { domain: 'YOUR-AUTH0-DOMAIN', verifierIdField: 'sub', // <-- This is the JWT Verifiers ID field. response_type: 'token', scope: 'email profile openid', }, }) ``` ## Failed to verify JWS signature[​](#failed-to-verify-jws-signature "Direct link to Failed to verify JWS signature") ### Error occurred while verifying params unable to verify JWT token[​](#error-occurred-while-verifying-params-unable-to-verify-jwt-token "Direct link to Error occurred while verifying params unable to verify JWT token") "Error occurred while verifying params unable to verify jwt token" could arise because of the following reasons: - The verifier for your AuthAdapter might be wrong. Check to ensure the `verifier` field is set correctly. - The JWT is not signed with the correct key (JWK). - The JWKS endpoint is not reachable or doesn't return a valid JWK that was used to sign the JWT. - The JWKS endpoint is incorrect on the Embedded Wallets dashboard. Double check to confirm the correct JWKS endpoint. ![JWKS Endpoint Field - Troubleshoot](/assets/images/jwks-endpoint-19b62959e6cac7abe862eab4a0dc8c35.png) - The JWKS is missing the `kid` field. - The `kid` present in the JWT header is not present in the JWKS. info Embedded Wallets (Web3Auth) uses the JWKS to: - Fetch the provider's public keys - Find the correct key using the JWT's `kid` - Verify the JWT's signature `sample jwks`: ``` { "keys": [ { "kty": "RSA", "e": "AQAB", "use": "sig", "kid": "YOUR-KID", // <-- This is the kid. "n": "YOUR-N", "alg": "RS256" // <-- This is the algorithm. } ] } ``` `sample jwks endpoint`: ## Duplicate token[​](#duplicate-token "Direct link to Duplicate token") ### Could not get result from Torus nodes duplicate token found[​](#could-not-get-result-from-torus-nodes-duplicate-token-found "Direct link to Could not get result from Torus nodes duplicate token found") "Could not get result from torus nodes Duplicate token found" error is thrown when the JWT is sent twice in the same request. ``` await web3auth.connectTo(WALLET_ADAPTERS.AUTH, { loginProvider: 'jwt', extraLoginOptions: { id_token: 'ID_TOKEN', // <-- JWT should be unique for each request. verifierIdField: 'sub', }, }) ``` ## Expired token[​](#expired-token "Direct link to Expired token") ### Error occurred while verifying `paramstimesigned` is more than 1m0s ago[​](#error-occurred-while-verifying-paramstimesigned-is-more-than-1m0s-ago "Direct link to error-occurred-while-verifying-paramstimesigned-is-more-than-1m0s-ago") warning Embedded Wallets accepts only those JWTs whose `iat` is less than the current time and is not greater than `60s` from current time. Regardless of the `exp` field of the JWT. - In short, the JWT is considered expired if the `iat` is greater than 60 s from current time. "Error occurred while verifying paramstimesigned is more than 1m0s ago 2022-02-24 13:46:05 +0000 UTC" error could be because: - JWT is expired - The JWT's `exp` field is less than the current time - The JWT's `iat` field is greater than `60s` from current time ## Mismatch JWT validation field[​](#mismatch-jwt-validation-field "Direct link to Mismatch JWT validation field") This error occurred when the validation field in the JWT is not matching with the validation field entered during the creation of Verifiers on the Embedded Wallets dashboard. This is the `JWT Validation` field on the `Verifier Modal` of the Embedded Wallets configuration: ![JWT Validation Field - Troubleshoot](/assets/images/jwt-validation-field-5c60403fc5d192c3831dbe1c85403a6e.png) Ensure, these fields are present in the JWT Payload and match with the JWT. ## Refresh tokens not supported[​](#refresh-tokens-not-supported "Direct link to Refresh tokens not supported") Embedded Wallets does not support refresh tokens to maintain longer sessions, instead we offer [session management](/embedded-wallets/dashboard/advanced/session-management/). tip During login with Embedded Wallets, pass the `sessionTime` parameter. This allows users to stay authenticated with Embedded Wallets for up to 1 day by default or a maximum of 30 days until they log out or their session data is cleared. A refresh token is a unique token that can be used to obtain additional access tokens from an Authentication Service Provider. With a refresh token, one can get a new `id_token` to make another login request. This enables users to maintain longer authentication sessions without the need for constant re-login. While Embedded Wallets, verifies the validity of the `id_token` and compares its payload value to the JWKS provided by either the Auth provider or your custom JWKS, it does not support refresh. Although we do not support refresh tokens to maintain longer sessions, we do offer session management. Session management supports dapps to check and maintain existing sessions with Embedded Wallets.