triplit icon indicating copy to clipboard operation
triplit copied to clipboard
verified publisher icon aspen-cloud

Starting with a JWT

Open jonocodes opened this issue 1 month ago • 3 comments

I have been using the dev server locally and it works fine, but now I am bringing it up with a server.js file, and having JWT issues. I even copied the service token from the dev server, but when I use it I get "signature verification failed". Does this mean there is some signature validation that is skipped in dev? I also followed the instructions here to generate new keys, and get the same error. https://www.triplit.dev/docs/self-hosting/key-gen

@triplit/server": "version": "1.1.8"

jonocodes avatar Nov 01 '25 04:11 jonocodes

What are you running to start the server with the server.js file? My first guess is there is some env variable configuration that isnt happening properly

wernst avatar Nov 02 '25 22:11 wernst

Sorry, here are some more concrete steps. I copied the token from the cli script.

#!/usr/bin/env node

import { createServer, createTriplitStorageProvider } from '@triplit/server';
 
const port = +(process.env.PORT || 6544);
 
const startServer = await createServer({
  storage: await createTriplitStorageProvider('sqlite'),
  verboseLogs: !!process.env.VERBOSE_LOGS,
  jwtSecret: process.env.JWT_SECRET || "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ4LXRyaXBsaXQtdG9rZW4tdHlwZSI6InNlY3JldCIsIngtdHJpcGxpdC1wcm9qZWN0LWlkIjoibG9jYWwtcHJvamVjdC1pZCJ9.8Z76XXPc9esdlZb2b7NDC7IVajNXKc4eVcPsO7Ve0ug",
  projectId: process.env.PROJECT_ID,
  externalJwtSecret: process.env.EXTERNAL_JWT_SECRET,
  maxPayloadMb: process.env.MAX_BODY_SIZE,
});
 
const dbServer = startServer(port);
 
console.log('running on port', port);
process.on('SIGINT', function () {
  dbServer.close(() => {
    console.log('Shutting down server... ');
    process.exit();
  });
});

Here is how I run it:

LOCAL_DATABASE_URL="data.db" node triplit/server.js

Then I go to https://console.triplit.dev/

Where I create a connection to a new server http://localhost:6544 using the above token.

When I select the new server, I see this in the terminal:

[2025-11-03T15:08:03.166Z] [message] sent {
  type: 'CLOSE',
  payload: {
    type: 'UNAUTHORIZED',
    retry: false,
    message: 'The signature on your token could not be verified successfully. | Context: signature verification failed'
  }
}

jonocodes avatar Nov 03 '25 15:11 jonocodes

It looks like you may be passing in a jwt token (more aptly named your service token) and not a signing secret. I apologize the naming is confusing (and there's a chance we call your "service token" your "secret token" in the docs in places).

The value of jwtSecret should be the value with which you sign the tokens that you generate (instructions here: https://www.triplit.dev/docs/self-hosting/key-gen). The tokens generated by the dev server are signed with the string jwt-key-for-development-only. So if you pass that in to the jwtSecret value here and use one of those tokens you should be able to successfully connect.

In production you would want to generate your own secrets and tokens using that guide.

Let me know if using the dev server jwt secret combined with the tokens from the dev server don't work.

wernst avatar Nov 04 '25 06:11 wernst