Add example for validating JWT in a Cloudflare Worker

Author: irvinebroque

src/content/docs/cloudflare-one/identity/authorization-cookie/validating-json.mdx

@@ -102,6 +102,68 @@ To get the AUD tag:
 
 You can now paste the AUD tag into your token validation script. The AUD tag will never change unless you delete or recreate the Access application.
 
+### Cloudflare Workers example
+
+When Cloudflare Access is in front of your [Worker](/workers), your Worker still needs to validate the JWT that Cloudflare Access adds to the `Cf-Access-Jwt-Assertion` header on the incoming request, to ensure that the request came from Cloudflare Access, and not a malicious third-party.
+
+The following code will validate the JWT using the [jose NPM package](https://www.npmjs.com/package/jose):
+
+```javascript
+import { jwtVerify, createRemoteJWKSet } from 'jose';
+
+export default {
+	async fetch(request, env, ctx) {
+		// Get the JWT from the request headers
+		const token = request.headers.get('cf-access-jwt-assertion');
+
+		// Check if token exists
+		if (!token) {
+			return new Response('Missing required CF Access JWT', {
+				status: 403,
+				headers: { 'Content-Type': 'text/plain' }
+			});
+		}
+
+		try {
+			// Create JWKS from your team domain
+			const JWKS = createRemoteJWKSet(new URL(`${env.TEAM_DOMAIN}/cdn-cgi/access/certs`));
+
+			// Verify the JWT
+			const { payload } = await jwtVerify(token, JWKS, {
+				issuer: env.TEAM_DOMAIN,
+				audience: env.POLICY_AUD,
+			});
+
+			// Token is valid, proceed with your application logic
+			return new Response(`Hello ${payload.email || 'authenticated user'}!`, {
+				headers: { 'Content-Type': 'text/plain' }
+			});
+
+		} catch (error) {
+			// Token verification failed
+			return new Response(`Invalid token: ${error.message}`, {
+				status: 403,
+				headers: { 'Content-Type': 'text/plain' }
+			});
+		}
+	},
+};
+```
+
+#### Required environment variables
+
+Add these [environment variables](/workers/configuration/environment-variables/) to your Worker:
+
+1. **`POLICY_AUD`** - Your application's Audience (AUD) tag from Zero Trust dashboard
+   - Go to **Access** > **Applications** > **Configure** > **Basic information**
+   - Copy the **Application Audience (AUD) Tag**
+
+2. **`TEAM_DOMAIN`** - Your Zero Trust team domain
+   - Format: `https://<your-team-name>.cloudflareaccess.com`
+   - Replace `<your-team-name>` with your actual team name
+
+You can set these variables by adding them to your Worker's [Wrangler configuration file](/workers/wrangler/configuration/), or via the Cloudflare dashboard under **Workers & Pages** > **your-worker** > **Settings** > **Environment Variables**.
+
 ### Golang example
 
 ```go
@@ -246,7 +308,7 @@ if __name__ == '__main__':
     app.run()
 ```
 
-### JavaScript example
+### JavaScript (Node.js) example
 
 ```javascript
 const express = require("express");