> ## Documentation Index > Fetch the complete documentation index at: https://www.dynamic.xyz/docs/llms.txt > Use this file to discover all available pages before exploring further. # Protecting your servers > Use the Dynamic-issued JWT to protect your backend — Client / end-user ↔ Customer servers. After the user authenticates with Dynamic, you can use the Dynamic-issued JWT to protect your own backend APIs. The JWT proves the user's identity — your server verifies it using Dynamic's public key. ## Client / end-user ↔ Customer servers ```mermaid theme={"system"} sequenceDiagram participant User as End User participant App as Your App with Dynamic SDK participant Server as Your Backend participant Dynamic as Dynamic Backend User->>App: Authenticated (has JWT) App->>Server: API request with JWT (Authorization header or cookie) Server->>Dynamic: Fetch public key (JWKS endpoint, cached) Server->>Server: Verify JWT signature and claims Server->>App: Authorized response ``` 1. The user is already authenticated and has a JWT from Dynamic. 2. Your app sends the JWT to your backend (in the `Authorization: Bearer ` header, or automatically via cookie). 3. Your backend verifies the JWT using Dynamic's public key (fetched from the [JWKS endpoint](/overview/authentication/tokens#getting-the-verification-key) and cached). 4. **Your backend verifies the scope contains `user:basic`** — this confirms the user has completed the full authentication flow. 5. After verification, your backend trusts the claims in the JWT (`sub` for user ID, `verified_credentials`, etc.) and authorizes the request. **Critical**: You must verify that the JWT scope list includes `user:basic`. If `user:basic` is not among the scopes, the user has NOT completed authentication and the JWT should not be trusted for protected operations. See [Tokens](/overview/authentication/tokens#verifying-the-jwt) for code examples. For full details on JWT structure, claims, and verification steps, see [Tokens](/overview/authentication/tokens).