2 min read
Fetch and cache the keys
Pull the signing keys from GET /partner/v1/oauth/jwks and cache them keyed by kid. Do not fetch per request — that adds latency and burns quota. Refresh on a schedule and on demand.
Validate the token
For each incoming token, select the key by the JWT header's kid, verify the signature, then check the standard claims: iss matches the Credicorp issuer, aud matches your resource, and exp is in the future (allow a little leeway for clock skew). Reject on any failure. This is the local counterpart to introspection.
Handle rotation and revocation
On a token whose kid you do not have, re-fetch the JWKS once and retry — a key almost certainly rotated. The one thing local verification cannot see is a revocation before natural expiry; if you must honour revocations instantly, use introspection for those paths instead. See client credentials for the wider flow.
Frequently asked questions
When should I introspect instead of verifying locally?
Use introspection when you must honour a revocation immediately — local JWKS verification cannot see a token revoked before it expires. For everything else, local verification is faster and needs no round trip.
What do I do on an unknown kid?
Re-fetch the JWKS once and retry verification. An unknown kid almost always means a key rotated, not an attack — so refresh before rejecting, but still reject if the token fails after the refresh.
Funding for UK limited companies
Credicorp lends to your company, not to you personally — short-term working capital with no personal guarantee. See what your business could access.