JWT token for other use

[WeersProductions]

Hi all,

First of all, I have looked around and found similar Q&A's, but I could not find one that would give me an actual answer. If I missed one, please let me know! #1961 is a very similar question (especially bullet 2 of the original post), but does not seem to answer this.

I use next-auth as the authentication mechanism, using multiple providers. Let's take Google as an example.
I want to use the same authentication information for other services. I have a server with a WebSocket connection running, which connects the client to a group of servers. These backend servers need to be able to verify who this user is.

I am very inexperienced with security, but right now I think this would be the way to go:

1. Authenticate normally using next-auth (e.g. using Google)
2. Keep the JWT
3. Pass this JWT with every WebSocket message
4. Verify the JWT in the backend and use the information on it (e.g. userId to check who sent this message)

I have step 1 working, but cannot find any information on accessing the JWT. I know I can access the Session data (and thus the user name/email/profile picture), but the JWT does not seem to be accessible from the client. The JWT is retrievable on the server side: https://next-auth.js.org/tutorials/securing-pages-and-api-routes#using-gettoken , but it seems strange to use the server to get this JWT.

Thank you in advance!
Sincerely,
Floris Weers