Custom jwt validation in v4

System Information
  • Strapi Version: 4.0.5
    Auth provider: Auth0

I’m aware of a similar existing question here

I have the exact same issue along with some other concerns around authentication in Strapi v4.

It seems that making any request from my frontend with a Bearer token in the authorization header comes back as a 401. Even on public routes.

Before in Strapi v3 if I made a request with an Authorization header I was able to use this guide to intercept the users-permissions check and validate the token by making a request to my Auth0 domain.

So essentially, whether the route is public or requires auth, i’m unable to run my custom permissions policy as it get’s 401’d immediately.

Important to note that I’m not using Strapi’s /auth/xxx login flow at all. I’m building an app in React native so i’m obtaining a jwt from Auth0 directly. My v3 setup was able to use that jwt to authenticate my requests, but not in v4.

Is that possible in v4?

I’ve been at a complete loss for over a week :sob:

The reason I began migrating was because I found an issue with v3’s users-permissions jwt verifier as it doesn’t have an algorithms array defined and saw that only v4 was receiving support currently? :frowning:

Also opened a Github issue around the out-of-date docs


I would recommend creating an extension and then overwriting the function which has the role of signing/verifying the strapi jwt! Copy the function structure from node_modules/@strapi/plugin-users-permissions/server/services/jwt.js and then modify it to your needs.

1 Like