Add example for validating JWT in a Cloudflare Worker (#25360)

* Add example for validating JWT in a Cloudflare Worker

* PCX edits

---------

Co-authored-by: ranbel <[email protected]>

Author: irvinebroque

src/content/docs/cloudflare-one/identity/authorization-cookie/validating-json.mdx

@@ -102,6 +102,62 @@ To get the AUD tag:
 
 You can now paste the AUD tag into your token validation script. The AUD tag will never change unless you delete or recreate the Access application.
 
+### Cloudflare Workers example
+
+When Cloudflare Access is in front of your [Worker](/workers), your Worker still needs to validate the JWT that Cloudflare Access adds to the `Cf-Access-Jwt-Assertion` header on the incoming request.
+
+The following code will validate the JWT using the [jose NPM package](https://www.npmjs.com/package/jose):
+
+```javascript
+import { jwtVerify, createRemoteJWKSet } from 'jose';
+
+export default {
+	async fetch(request, env, ctx) {
+		// Get the JWT from the request headers
+		const token = request.headers.get('cf-access-jwt-assertion');
+
+		// Check if token exists
+		if (!token) {
+			return new Response('Missing required CF Access JWT', {
+				status: 403,
+				headers: { 'Content-Type': 'text/plain' }
+			});
+		}
+
+		try {
+			// Create JWKS from your team domain
+			const JWKS = createRemoteJWKSet(new URL(`${env.TEAM_DOMAIN}/cdn-cgi/access/certs`));
+
+			// Verify the JWT
+			const { payload } = await jwtVerify(token, JWKS, {
+				issuer: env.TEAM_DOMAIN,
+				audience: env.POLICY_AUD,
+			});
+
+			// Token is valid, proceed with your application logic
+			return new Response(`Hello ${payload.email || 'authenticated user'}!`, {
+				headers: { 'Content-Type': 'text/plain' }
+			});
+
+		} catch (error) {
+			// Token verification failed
+			return new Response(`Invalid token: ${error.message}`, {
+				status: 403,
+				headers: { 'Content-Type': 'text/plain' }
+			});
+		}
+	},
+};
+```
+
+#### Required environment variables
+
+Add these [environment variables](/workers/configuration/environment-variables/) to your Worker:
+	- `POLICY_AUD`: Your application's [AUD tag](#get-your-aud-tag)
+	- `TEAM_DOMAIN`: `https://<your-team-name>.cloudflareaccess.com`, where `<your-team-name>` is replaced with your actual <GlossaryTooltip term="team name">team name</GlossaryTooltip>.
+
+You can set these variables by adding them to your Worker's [Wrangler configuration file](/workers/wrangler/configuration/), or via the Cloudflare dashboard under **Workers & Pages** > **your-worker** > **Settings** > **Environment Variables**.
+
 ### Golang example
 
 ```go
@@ -246,7 +302,7 @@ if __name__ == '__main__':
     app.run()
 ```
 
-### JavaScript example
+### JavaScript (Node.js) example
 
 ```javascript
 const express = require("express");
@@ -292,7 +348,3 @@ app.get("/", (req, res) => {
 
 app.listen(3333);
 ```
-
-## Related resources
-
-- [Verifying JWTs in Cloudflare Workers](https://kinde.com/blog/engineering/verifying-jwts-in-cloudflare-workers/) - Implement JWT verification in Cloudflare Workers.