Validation and claim extraction

KYA tokens issued by Skyfire are encrypted and sent directly by the agent in the custom HTTP header skyfire-pay-id over a secure HTTPS connection. KYA tokens are RFC-7515 and RFC-7519 compliant signed JWTs.

Skyfire publishes its JWKS file at https://app.skyfire.xyz/.well-known/jwks.json. The file doesn't change very often and can be cached for an hour.
Signing ensures that the JWTs are tamper-proof
End-to-end HTTPS encryption ensures that malicious intermediaries cannot extract tokens from the request headers

Any standard JWKS / JOSE library can be used to verify and extract data from the tokens.

// Get the key set from .../.well-known/jwks.json
const jwks = await getJWKS()

// Verify the signature and extract the token header and payload 
const verifier = jose.createLocalJWKSet(jwks)
const { payload, protectedHeader } = await jose.jwtVerify(
  token.token,
  verifier,
  {
    issuer: 'https://app.skyfire.xyz',
	// ....
  }
)

Reference implementation

Skyfire publishes its JWKS file at https://app.skyfire.xyz/.well-known/jwks.json. The file doesn't change very often and can be cached for an hour.
Signing ensures that the JWTs are tamper-proof
End-to-end HTTPS encryption ensures that malicious intermediaries cannot extract tokens from the request headers

Any standard JWKS / JOSE library can be used to verify and extract data from the tokens.

// Get the key set from .../.well-known/jwks.json
const jwks = await getJWKS()

// Verify the signature and extract the token header and payload 
const verifier = jose.createLocalJWKSet(jwks)
const { payload, protectedHeader } = await jose.jwtVerify(
  token.token,
  verifier,
  {
    issuer: 'https://app.skyfire.xyz',
	// ....
  }
)

Reference implementation