# Exchanging JSON Web Tokens
To exchange JSON Web Tokens (opens new window) with each other, the recipient must check the validity of the token. Since we issue the token, only the validity must be checked using the public keys (which are provided as JWKs (opens new window)). You can use the following interactive validity checker to decode the payload and verify the signature.
As an API provider, you MUST validate incoming tokens and verify that the subject is authorized to perform certain operations by checking the specified scopes.
Be aware that, in order to ensure security for our end users, we rotate our keys regularly (every 3-6 months). It is recommended to not cache the public keys for longer than one day. There will be very long transition periods where you must test against an incoming JWT against multiple keys as done in the example code below.
# Interactive Verifier
# How to validate a JWT
Each programming language usually provides public libraries that can be used to validate and decode the JWT.
- Get the public JWKs (JSON Web Key) via the directory API
GET https://hub.zaikio.com/api/v1/jwt_public_keys
- (optionally) Depending on the library used, transform the JWKs into public certificates
.pem
(since some libraries require this format) - Decode the payload and verify validity of the JWT with a JWT library