Authenticating EBS requests

So for an extension we’re developing, we’ve got a front-end configuration UI for the broadcaster, and an overlay UI for the viewers. The config UI allows the broadcaster to save the name of a game character (whose info will be shown in the viewer overlay).

The config UI makes an API call to our EBS, and can send along the auth.token value returned from the Twitch.ext.onAuthorized JS function. The problem I’m having is, it’s not clear to me what we do with that auth.token.

If I’m understanding this correctly, the token (which is a JWT) contains a value which was constructed using a shared secret. Therefore we can use a JWT library on our back end to examine the JWT and verify that it was indeed constructed using the shared secret (which is available only to Twitch and to our EBS; it’s not visible to broadcasters or viewers). The JWT should also contain a claim about the sender (in this case, the facts that 1) the sender is a broadcaster and 2) their user ID, not a viewer) which allows us to know for sure who they are.

Once we verify the JWT in this way, we now know for certain which Twitch user sent it, and that they are a broadcaster. Therefore we can save the data they sent (the aforementioned character name) in our database.

If the above is all correct, can someone recommend a node.js JWT library to use for verifying the JWTs we receive? And is there a way to get valid JWTs back from Twitch when developing locally?

I’ve been using jsonwebtoken same as the boilerplate example.

The website provides a list of libraries.

Right now it only recommends jsonwebtoken.

That aside the site provides all the notes and a useful jwt testing tool