Recipe

Verify a partner token locally with the JWKS

Verify a partner JWT yourself instead of calling introspection every time: fetch the JWKS, cache by kid, and validate signature, issuer, audience and expiry. Re-fetch on an unknown kid.

2 min read

JWKSPublic keys
kid cacheHandle rotation
iss/aud/expCheck all

Fetch and cache the keys

Pull the signing keys from GET /partner/v1/oauth/jwks and cache them keyed by kid. Do not fetch per request — that adds latency and burns quota. Refresh on a schedule and on demand.

Validate the token

For each incoming token, select the key by the JWT header's kid, verify the signature, then check the standard claims: iss matches the Credicorp issuer, aud matches your resource, and exp is in the future (allow a little leeway for clock skew). Reject on any failure. This is the local counterpart to introspection.

Handle rotation and revocation

On a token whose kid you do not have, re-fetch the JWKS once and retry — a key almost certainly rotated. The one thing local verification cannot see is a revocation before natural expiry; if you must honour revocations instantly, use introspection for those paths instead. See client credentials for the wider flow.

Frequently asked questions

When should I introspect instead of verifying locally?

Use introspection when you must honour a revocation immediately — local JWKS verification cannot see a token revoked before it expires. For everything else, local verification is faster and needs no round trip.

What do I do on an unknown kid?

Re-fetch the JWKS once and retry verification. An unknown kid almost always means a key rotated, not an attack — so refresh before rejecting, but still reject if the token fails after the refresh.

Funding for UK limited companies

Credicorp lends to your company, not to you personally — short-term working capital with no personal guarantee. See what your business could access.