Skip to main content
After the user authenticates with Dynamic, you can use the Dynamic-issued JWT to protect your own backend APIs. The JWT proves the user’s identity — your server verifies it using Dynamic’s public key.

Client / end-user ↔ Customer servers

  1. The user is already authenticated and has a JWT from Dynamic.
  2. Your app sends the JWT to your backend (in the Authorization: Bearer <token> header, or automatically via cookie).
  3. Your backend verifies the JWT using Dynamic’s public key (fetched from the JWKS endpoint and cached).
  4. After verification, your backend trusts the claims in the JWT (sub for user ID, verified_credentials, etc.) and authorizes the request.
For full details on JWT structure, claims, and verification steps, see Tokens.