Skip to main content
GET
/
api
/
auth
/
verify
Verify Token
curl --request GET \
  --url https://api.example.com/api/auth/verify \
  --header 'Authorization: <authorization>'
{
  "valid": true,
  "user_id": 123,
  "username": "<string>"
}

Overview

The token verification endpoint validates an access token and returns the associated user information. This is useful for verifying that a token is still valid before making API requests or for getting the current user’s identity.

Endpoint

GET /api/auth/verify

Authentication

This endpoint requires a valid JWT access token in the Authorization header.

Request

Headers

Authorization
string
required
Bearer token for authenticationFormat: Bearer <access_token>

Example Request

curl -X GET https://vega.benidevo.com/api/auth/verify \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."

Response

Success Response (200 OK)

valid
boolean
Indicates whether the token is valid
user_id
integer
The ID of the authenticated user
username
string
The username of the authenticated user

Example Response

{
  "valid": true,
  "user_id": 123,
  "username": "john_doe"
}

Error Responses

401 Unauthorized - Missing Authorization Header

{
  "error": "missing authorization header"
}

401 Unauthorized - Invalid Header Format

{
  "error": "invalid authorization header format"
}
The Authorization header must follow the format: Bearer <token>

401 Unauthorized - Invalid or Expired Token

{
  "error": "invalid or expired token"
}
This error occurs when:
  • The token signature is invalid
  • The token has expired
  • The token format is malformed
  • The token was revoked

Use Cases

Verify Token Before API Calls

Before making authenticated API requests, verify that your access token is still valid: 
async function makeAuthenticatedRequest(endpoint) {
  // First, verify the token
  const verifyResponse = await fetch('/api/auth/verify', {
    headers: {
      'Authorization': `Bearer ${accessToken}`
    }
  });

  if (!verifyResponse.ok) {
    // Token is invalid, refresh it
    const newToken = await refreshAccessToken();
    accessToken = newToken;
  }

  // Now make the actual request
  return fetch(endpoint, {
    headers: {
      'Authorization': `Bearer ${accessToken}`
    }
  });
}

Get Current User Information

Retrieve the currently authenticated user’s details: 
async function getCurrentUser() {
  const response = await fetch('/api/auth/verify', {
    headers: {
      'Authorization': `Bearer ${accessToken}`
    }
  });

  if (response.ok) {
    const data = await response.json();
    return {
      id: data.user_id,
      username: data.username
    };
  }

  throw new Error('Not authenticated');
}

Extension/Client Authentication Check

Browser extensions or client applications can verify authentication status: 
// Check if user is authenticated
async function isAuthenticated() {
  try {
    const response = await fetch('/api/auth/verify', {
      headers: {
        'Authorization': `Bearer ${accessToken}`
      }
    });
    return response.ok && (await response.json()).valid;
  } catch (error) {
    return false;
  }
}

Implementation Details

This endpoint is implemented in internal/api/auth/handlers.go:VerifyToken. 
func (h *AuthAPIHandler) VerifyToken(ctx *gin.Context) {
    authHeader := ctx.GetHeader("Authorization")
    if authHeader == "" {
        ctx.JSON(http.StatusUnauthorized, gin.H{"error": "missing authorization header"})
        return
    }

    const bearerPrefix = "Bearer "
    if len(authHeader) < len(bearerPrefix) || authHeader[:len(bearerPrefix)] != bearerPrefix {
        ctx.JSON(http.StatusUnauthorized, gin.H{"error": "invalid authorization header format"})
        return
    }

    token := authHeader[len(bearerPrefix):]
    claims, err := h.authService.VerifyToken(token)
    if err != nil {
        ctx.JSON(http.StatusUnauthorized, gin.H{"error": "invalid or expired token"})
        return
    }

    ctx.JSON(http.StatusOK, gin.H{
        "valid":    true,
        "user_id":  claims.UserID,
        "username": claims.Username,
    })
}

Security Notes

This endpoint validates the token’s signature and expiration but does not check if the token was explicitly revoked. For self-hosted instances, token revocation is not currently implemented.
All token verification is done using JWT signature validation with the TOKEN_SECRET configured in your environment variables.

Login

Obtain an access token

Refresh Token

Refresh an expired access token

Build docs developers (and LLMs) love

Get started for freeTalk to us