Error verifying JWTs signed by Kinde from Next.js to Express API
According to docs I import the verifier:
const {jwtVerify} = require("@kinde-oss/kinde-node-express");
const verifier = jwtVerify("https://<your_kinde_subdomain>.kinde.com");
This is my express project where I want to protect my routes. According to docs:
app.get("/some-route", verifier, (req, res) => {
console.log(req.user); // {id: kp:the-users-kinde-id}
});
But I get an error: TypeError: Cannot destructure property 'audience' of 't' as it is undefined.
This is thrown at the code line: const verifier = jwtVerify("https://kynavo.kinde.com");
Am I missing something obviously important? The sign in works fine in my client (Next.js)
Gratefuul for any guidance on this.,
2 Replies
I maybe came a bit longer now. I pass my access token from my client to my express backend API and there I use a third party library (jwks-rsa) to verify the token by using my kinde jwksUris.
I now have come so far it invalidates the token due to missing audience. I have set up my API in Kinde and gave it an audience but the token is not containing this audience from client to backend. aud is []. I have authorized the api against the application in Kinde portal.
If I would go to the API in Kinde and generate a token it actually contains aud but the token I get when authenticating in client is empty.
Any guidance on this?
Thanks.
Hi Daniel,
Thank you for providing the detailed context. It looks like the error is happening because the verifier expects an audience value in the token, but the token you're receiving from your client is missing it (or has it as an empty array). Here are a few suggestions that might help resolve this issue:
1. Double-check the access token that’s being sent from your Next.js client. You can decode it (using a tool like jwt.io) to confirm whether the
aud claim is present. If it’s missing or empty, then the issue likely lies in how the token is being requested or issued.
2. Since you mentioned that generating a token directly from the API in the Kinde portal includes the correct aud value, please review your API configuration in the Kinde dashboard. Ensure that the API is correctly set up with the intended audience and that the application in Kinde is properly authorized to request tokens with this audience.
3. If your client authentication flow allows specifying an audience, make sure you’re including that parameter when initiating the authentication request. The absence of the audience in the client’s token might mean that the audience parameter isn’t being correctly passed or that the client is not properly configured to request it.
4. Confirm that you’re using the latest version of the @kinde-oss/kinde-node-express package, as improvements or fixes may have been released. Sometimes, SDKs evolve to handle edge cases or provide clearer error messages if configuration details are missing.
I hope these suggestions help clarify the issue. Please let me know if you have any further questions or if there’s any additional information you can share