Tokens
Aero2 issues three types of JWT tokens, each serving a different purpose. All tokens are signed with RS256 (RSA + SHA-256) using keys that rotate automatically.
Token Types
Access Token
The access token authorizes API requests. Include it in the Authorization header.
| Property | Value |
|---|---|
| Format | JWT (RS256) |
| Lifetime | 1 hour |
token_use claim | access |
| Usage | Authorization: Bearer <token> |
ID Token
The ID token contains identity claims about the user. It's only issued when the openid scope is requested.
| Property | Value |
|---|---|
| Format | JWT (RS256) |
| Lifetime | 1 hour |
token_use claim | id |
| Contains | sub, email, name, nonce, auth_time |
Refresh Token
The refresh token is used to get new access tokens without re-authentication.
| Property | Value |
|---|---|
| Format | Opaque string |
| Lifetime | 7 days |
| Storage | HMAC-hashed in database |
| Rotation | Enforced (old token invalidated on use) |
Session Token
Session tokens are used internally by Aero2's web interface. They're stored in HttpOnly cookies.
| Property | Value |
|---|---|
| Format | JWT (RS256) |
| Lifetime | 1 hour |
token_use claim | session |
| Storage | HttpOnly, Secure, SameSite=Lax cookie |
Token Verification
To verify an Aero2 token:
- Fetch the JWKS from
/oauth2/jwks.json - Find the key matching the token's
kidheader - Verify the RS256 signature
- Check standard claims:
iss,aud,exp,iat
// Example using jose library
import * as jose from 'jose';
const JWKS = jose.createRemoteJWKSet(
new URL('https://aero2.dev/oauth2/jwks.json')
);
const { payload } = await jose.jwtVerify(token, JWKS, {
issuer: 'https://aero2.dev',
audience: 'your-client-id',
});Inspect a Token
Paste a JWT below to decode it. Everything runs in your browser — nothing is sent to any server.
Paste a JWT above to see its decoded contents
See Also
- Scopes & Claims — What information each scope provides
- Token endpoint — How to obtain tokens
- Revocation endpoint — How to invalidate tokens