Skip to main content
After the user authenticates with Dynamic, you can use the Dynamic-issued JWT to protect your own backend APIs. The JWT proves the user’s identity — your server verifies it using Dynamic’s public key.

Client / end-user ↔ Customer servers

  1. The user is already authenticated and has a JWT from Dynamic.
  2. Your app sends the JWT to your backend (in the Authorization: Bearer <token> header, or automatically via cookie).
  3. Your backend verifies the JWT using Dynamic’s public key (fetched from the JWKS endpoint and cached).
  4. Your backend verifies the scope contains user:basic — this confirms the user has completed the full authentication flow.
  5. After verification, your backend trusts the claims in the JWT (sub for user ID, verified_credentials, etc.) and authorizes the request.
Critical: You must verify that the JWT scope list includes user:basic. If user:basic is not among the scopes, the user has NOT completed authentication and the JWT should not be trusted for protected operations. See Tokens for code examples.
For full details on JWT structure, claims, and verification steps, see Tokens.