Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.dynamic.xyz/docs/llms.txt

Use this file to discover all available pages before exploring further.

After the user authenticates with Dynamic, you can use the Dynamic-issued JWT to protect your own backend APIs. The JWT proves the user’s identity — your server verifies it using Dynamic’s public key.

Client / end-user ↔ Customer servers

  1. The user is already authenticated and has a JWT from Dynamic.
  2. Your app sends the JWT to your backend (in the Authorization: Bearer <token> header, or automatically via cookie).
  3. Your backend verifies the JWT using Dynamic’s public key (fetched from the JWKS endpoint and cached).
  4. Your backend verifies the scope contains user:basic — this confirms the user has completed the full authentication flow.
  5. After verification, your backend trusts the claims in the JWT (sub for user ID, verified_credentials, etc.) and authorizes the request.
Critical: You must verify that the JWT scope list includes user:basic. If user:basic is not among the scopes, the user has NOT completed authentication and the JWT should not be trusted for protected operations. See Tokens for code examples.
For full details on JWT structure, claims, and verification steps, see Tokens.