Verify Subscriptions Server-side

Client-side access checks are enough for UI gating, but your backend should not trust the browser alone. This guide walks you through verifying a subscription user's identity on your server before serving protected data.

Verify subscriptions flow: frontend gets token, sends to backend, backend validates with tiun API

How it works

Your frontend gets a signed verification token from tiun
It sends that token to your backend on protected requests
Your backend validates the token before returning data

The token is a signed JWT, valid for 5 minutes. It proves the user is who they say they are, so your server can trust the request.

1. Get the verification token

Call getUserVerificationToken() on the frontend. It returns a token if the user is authenticated, or null if they're not.

const token = await tiun.getUserVerificationToken();

2. Send the token to your backend

Attach it to your API requests, for example as a Bearer token in the Authorization header.

async function fetchProtectedData() {
  const token = await tiun.getUserVerificationToken();

  if (!token) {
    return null;
  }

  const response = await fetch('/api/protected', {
    headers: {
      'Authorization': `Bearer ${token}`
    }
  });

  return response.json();
}

3. Validate on the server

Extract the token from the request and verify it. The implementation depends on your backend, but the pattern is the same: check the token is valid and not expired, then serve the data.

import express from 'express';

const app = express();

app.get('/api/protected', async (req, res) => {
  const auth = req.headers.authorization;
  const token = auth?.startsWith('Bearer ') ? auth.slice(7) : null;

  if (!token) {
    return res.status(401).json({ error: 'Missing token' });
  }

  const verified = await verifyTiunUserToken(token);

  if (!verified) {
    return res.status(401).json({ error: 'Invalid or expired token' });
  }

  res.json({ data: 'Protected content for user ' + verified.sub });
});

Implement verifyTiunUserToken using tiun's signing keys or documented JWT verification steps for your platform.

Full round-trip

Putting it together — the frontend requests protected data, and the backend only serves it after validating the token:

Frontend:

tiun.on('userChange', async (data) => {
  if (!data.isAuthenticated) {
    showPublicContent();
    return;
  }

  const result = await fetchProtectedData();

  if (result) {
    showProtectedContent(result);
  }
});

async function fetchProtectedData() {
  const token = await tiun.getUserVerificationToken();

  if (!token) return null;

  const res = await fetch('/api/protected', {
    headers: { 'Authorization': `Bearer ${token}` }
  });

  if (!res.ok) return null;
  return res.json();
}

Backend:

import express from 'express';

const app = express();

app.get('/api/protected', async (req, res) => {
  const auth = req.headers.authorization;
  const token = auth?.startsWith('Bearer ') ? auth.slice(7) : null;

  if (!token) {
    return res.status(401).json({ error: 'No token' });
  }

  const verified = await verifyTiunUserToken(token);

  if (!verified) {
    return res.status(401).json({ error: 'Invalid token' });
  }

  res.json({ premium: true, userId: verified.sub });
});

For a conceptual overview of access verification, see Verifying Access in the Docs.

PreviousBuild a Time-based Paywall NextVerify Sessions Server-side

Last updated 28 days ago

Was this helpful?

Good night

hashtagHow it works

hashtag1. Get the verification token

hashtag2. Send the token to your backend

hashtag3. Validate on the server

hashtagFull round-trip

How it works

1. Get the verification token

2. Send the token to your backend

3. Validate on the server

Full round-trip