Skip to main content
POST
Verify External User
Accepts a JWT signed by your own auth system and returns Sublay tokens. If the user does not exist in the project, they are created. If they do exist, their profile is updated with any changed fields from the JWT payload. The JWT must be signed with the RSA private key corresponding to the public key configured in your Sublay project settings.

Body Parameters

userJwt
string
required
A JWT signed with your project’s RSA private key (RS256 algorithm). The payload must include sub (external user ID) and iss (your Sublay project ID). The userData claim may contain optional profile fields.

JWT Payload Structure

The userJwt must contain:

userData fields

Response

success
boolean
true on success.
accessToken
string
Short-lived JWT access token. Expires in 30 minutes.
refreshToken
string
Long-lived JWT refresh token. Expires in 30 days.
user
object
The verified or created user’s profile.

Error Responses

The project does not have a public key configured.
The JWT signature is invalid or the token is expired.
The iss claim in the JWT does not match the request project ID.

See Also