Skip to content

Add example for validating JWT in a Cloudflare Worker #25360

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Sep 26, 2025
Merged

Add example for validating JWT in a Cloudflare Worker #25360

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
3d6e546
Add example for validating JWT in a Cloudflare Worker
irvinebroque Sep 23, 2025
68c94da
PCX edits
ranbel Sep 26, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
62 changes: 57 additions & 5 deletions src/content/docs/cloudflare-one/identity/authorization-cookie/validating-json.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -102,6 +102,62 @@ To get the AUD tag:

You can now paste the AUD tag into your token validation script. The AUD tag will never change unless you delete or recreate the Access application.

### Cloudflare Workers example

When Cloudflare Access is in front of your [Worker](/workers), your Worker still needs to validate the JWT that Cloudflare Access adds to the `Cf-Access-Jwt-Assertion` header on the incoming request.

The following code will validate the JWT using the [jose NPM package](https://www.npmjs.com/package/jose):

```javascript
import { jwtVerify, createRemoteJWKSet } from 'jose';

export default {
async fetch(request, env, ctx) {
// Get the JWT from the request headers
const token = request.headers.get('cf-access-jwt-assertion');

// Check if token exists
if (!token) {
return new Response('Missing required CF Access JWT', {
status: 403,
headers: { 'Content-Type': 'text/plain' }
});
}

try {
// Create JWKS from your team domain
const JWKS = createRemoteJWKSet(new URL(`${env.TEAM_DOMAIN}/cdn-cgi/access/certs`));

// Verify the JWT
const { payload } = await jwtVerify(token, JWKS, {
issuer: env.TEAM_DOMAIN,
audience: env.POLICY_AUD,
});

// Token is valid, proceed with your application logic
return new Response(`Hello ${payload.email || 'authenticated user'}!`, {
headers: { 'Content-Type': 'text/plain' }
});

} catch (error) {
// Token verification failed
return new Response(`Invalid token: ${error.message}`, {
status: 403,
headers: { 'Content-Type': 'text/plain' }
});
}
},
};
```

#### Required environment variables

Add these [environment variables](/workers/configuration/environment-variables/) to your Worker:
- `POLICY_AUD`: Your application's [AUD tag](#get-your-aud-tag)
- `TEAM_DOMAIN`: `https://<your-team-name>.cloudflareaccess.com`, where `<your-team-name>` is replaced with your actual <GlossaryTooltip term="team name">team name</GlossaryTooltip>.

You can set these variables by adding them to your Worker's [Wrangler configuration file](/workers/wrangler/configuration/), or via the Cloudflare dashboard under **Workers & Pages** > **your-worker** > **Settings** > **Environment Variables**.

### Golang example

```go
Expand Down Expand Up @@ -246,7 +302,7 @@ if __name__ == '__main__':
app.run()
```

### JavaScript example
### JavaScript (Node.js) example

```javascript
const express = require("express");
Expand Down Expand Up @@ -292,7 +348,3 @@ app.get("/", (req, res) => {

app.listen(3333);
```

## Related resources

- [Verifying JWTs in Cloudflare Workers](https://kinde.com/blog/engineering/verifying-jwts-in-cloudflare-workers/) - Implement JWT verification in Cloudflare Workers.