# Exchanging JSON Web Tokens

To exchange JSON Web Tokens (opens new window) with each other, the recipient must check the validity of the token. Since we issue the token, only the validity must be checked using the public key (which is provided as a JWK (opens new window)). You can use the following interactive validity checker to decode the payload and verify the signature.

As an API provider, you MUST to validate incoming tokens and verify that the subject is authorized to perform certain operations by checking the specified scopes.

# Interactive Verifier

# How to validate a JWT

Each programming language usually provides public libraries that can be used to validate and decode the JWT.

  1. Get the public JWK (JSON Web Key) via the directory API GET https://directory.zaikio.com/api/v1/jwt_public_keys
  2. (optionally) Depending on the library used, transform the JWK into a public certificate .pem (since some libraries require this format)
  3. Decode the payload and verify validity of the JWT with a JWT library