Introspect endpoint vs local JWT validation
I have a question regarding our implemention regarding our Frontend/Backend communication.
Currently I am doing a PoC where every time our frontend makes a request to our backend, the backend is reaching out to Zitadel's introspection endpoint to validate that the token is active. Is this the best practice for validating the token as it would mean a lot of requests going to the introspect endpoint? Is there throttling for this endpoint?
The alternative from what I understand would be to get the public keys JSON Web Key Set (JWKS) and doing a local validation, with the caveout that we don't know when the keys change
3 Replies
+1, have a similar use case
Hey @pbechliv :gigipixel: - Thanks for reaching out. We have a doc that outines some of our recommendations regarding token instrospection - Give this a read and let me know if this answers your question: https://zitadel.com/docs/guides/integrate/token-introspection
If not, I'm happy to provide more info! ☺️
ZITADEL Docs
Token introspection is the process of checking whether an access token is valid and can be used to access protected resources.
Unknown User•7mo ago
Message Not Public
Sign In & Join Server To View