Create a Custom JWT Auth Server

• Create a new directory for your project and navigate to it in your CLI

  mkdir jwt-auth-server
  cd jwt-auth-server
  

• Initialize a new Node.js application

  npm init -y
  yarn init -y
  

• Install the necessary packages

  npm install express jsonwebtoken
  

• To generate a private and a public key run

  ssh-keygen -t rsa -b 2048 -m PEM -f keys/rsa.key
  

• To create the output file run

  openssl rsa -in keys/rsa.key -pubout -outform PEM -out keys/rsa.key.pub
  

• Display the public key:

  cat keys/rsa.key.pub
  

• Copy the displayed public key.

• Convert your public key to a JWK using an online JWK Creator tool. We recommend using JWK Creator by Russel Davies.

  • Paste the public key, set Key ID as 0 (arbitrary string, must match when signing JWT), and then note down the generated JWK.
  

• Create a jwks.json in the project root and place the generated JWK in a keys array.

  {
    "keys": [
      {
         ... JWK ...
      }
    ]
  }
  

• In the jw-auth-server directory, create a file at the root named server.js and paste the following:

  const express = require("express");
  const fs = require("fs");
  const jwt = require("jsonwebtoken");
   
  const app = express();
  const PORT = process.env.PORT || 3000;
   
  const PRIVATE_KEY = fs.readFileSync("./keys/rsa.key", "utf8");
  const jwks = require("./jwks.json");
   
  const users = [
    { id: 1, email: "[email protected]", password: "password123" },
  ];
   
  app.use(express.json());
   
  app.post("/login", (req, res) => {
    const { email, password } = req.body;
    const user = users.find(
      (u) => u.email === email && u.password === password,
    );
    if (!user)
      return res.status(401).send({ message: "Invalid credentials" });
   
    const payload = {
      iss: "http://your-domain.com",
      sub: user.id.toString(),
      aud: "EpicGame",
      email: user.email,
      exp: Math.floor(Date.now() / 1000) + 3600,
    };
   
    const token = jwt.sign(payload, PRIVATE_KEY, {
      algorithm: "RS256",
      keyid: "0",
    });
   
    res.send({ token });
  });
   
  app.get("/.well-known/jwks.json", (req, res) => {
    res.json(jwks);
  });
   
  app.listen(PORT, () => {
    console.log(`Server started on port ${PORT}`);
  });
  

• Replace http://your-domain.com with the actual domain for the application.

• Start the server:

  node server.js
  

• Test login:

  curl -X POST http://localhost:3000/login -H "Content-Type: application/json" -d '{"email": "[email protected]", "password": "password123"}'
  

• Test JWKS:

  curl http://localhost:3000/.well-known/jwks.json
  

To deploy the server, you can use services such as Zeet or Docker.

Once deployed, replace http://localhost:3000 in the JWT payload with your actual domain

• Navigate to Wallets > In-App Wallets in the thirdweb dashboard.

• Create a thirdweb API key if you don't have one or select an existing key to use for this project. Learn more about API keys.

  

• Allowlist domain or bundle IDs in Access Restrictions.

• Navigate to the Configuration view and enable Custom JSON Web Token

  

• Set the JWKS URI to your-domain/.well-known/jwks.json

• Set the AUD to EpicGame or the value you set as the aud in the server.js file.

  

• Copy the client ID.

• In your preferred thirdweb client SDK, pass the JWT you retrieved from logging in to the server.