Access user data securely with Privy identity tokens
Identity tokens provide a secure and efficient way to access user data, especially on the server side. These tokens are JSON Web Tokens (JWTs) whose claims contain information about the currently authenticated user, including their linked accounts, metadata, and more.Privy strongly recommends using identity tokens when you need user-level data on your server. They allow you to easily pass a signed representation of the current user’s linked accounts from your frontend to your backend directly, letting you verifiably determine which accounts (wallet address, email address, Farcaster profile, etc.) are associated with the current request.
Enable identity tokens in the Privy
Dashboard before implementing
this feature.
Once you’ve enabled identity tokens, Privy will automatically include the identity token as a cookie on every request from your frontend to your server.For setups where you cannot use cookies, you can retrieve the identity token using the useIdentityToken hook:
Report incorrect code
Copy
Ask AI
import { useIdentityToken } from '@privy-io/react-auth';function MyComponent() { const { identityToken } = useIdentityToken(); // Use the token in your API requests const callApi = async () => { const response = await fetch('/api/your-endpoint', { headers: { 'privy-id-token': identityToken } }); }; return ( <button onClick={callApi}>Call API</button> );}
We strongly recommend setting a base domain for your application, so that Privy can set the identity token as a more secure HttpOnly cookie.
On your server, you can retrieve the identity token from incoming requests and use it to identify the user.
Report incorrect code
Copy
Ask AI
// pages/api/example.tsimport type { NextApiRequest, NextApiResponse } from 'next';import { getUser } from '@privy-io/server-auth';export default async function handler(req: NextApiRequest, res: NextApiResponse) { try { // Get identity token from cookie const idToken = req.cookies['privy-id-token']; // Or from header if sent that way // const idToken = req.headers['privy-id-token']; if (!idToken) { return res.status(401).json({ message: 'Unauthorized' }); } // Parse and verify the token const user = await getUser({ idToken }); // Now you can use the user data return res.status(200).json({ userId: user.id, // Other user data... }); } catch (error) { console.error('Error verifying identity token:', error); return res.status(401).json({ message: 'Invalid token' }); }}
Privy allows you to set custom metadata for a user via backend API requests. This metadata is available in the custom_metadata claim of the identity token.Here’s how to parse and access it:
Report incorrect code
Copy
Ask AI
import {PrivyClient} from '@privy-io/server-auth';import * as jose from 'jose';const client = new PrivyClient(PRIVY_APP_ID, PRIVY_APP_SECRET);// Method 1: Using getUser (recommended)async function getUserWithMetadata(idToken) { const user = await client.getUser({idToken}); // Custom metadata is already parsed and available return user.customMetadata;}// Method 2: Manual parsingasync function parseCustomMetadata(idToken) { const verificationKey = await jose.importJWK(/* your verification key */); try { const {payload} = await jose.jwtVerify(idToken, verificationKey, { issuer: 'privy.io', audience: 'your-privy-app-id' }); if (payload && payload.custom_metadata) { return JSON.parse(payload.custom_metadata); } return {}; } catch (error) { console.error('Error parsing identity token:', error); throw error; }}
When your server receives a request with an identity token, you should verify the token’s signature to authenticate the user. The preferred way is to use the getUser method from @privy-io/server-auth, which handles verification and parsing:
Report incorrect code
Copy
Ask AI
import {PrivyClient} from '@privy-io/server-auth';const client = new PrivyClient(PRIVY_APP_ID, PRIVY_APP_SECRET);async function verifyAndGetUser(idToken) { try { // This verifies the token signature and parses the payload const user = await client.getUser({idToken}); return user; } catch (error) { console.error('Invalid identity token:', error); throw new Error('Authentication failed'); }}
The verifyAuthToken method will not work on identity tokens, as it is only used to verify Privy
access tokens. Always use getUser({idToken}) when working with identity tokens.
For manual verification without using getUser, you can use JWT libraries like jose:
Report incorrect code
Copy
Ask AI
import * as jose from 'jose';async function verifyIdentityToken(idToken) { // Import the public key const publicKey = await jose.importJWK({ // Your public key in JWK format }); try { // Verify the token const {payload} = await jose.jwtVerify(idToken, publicKey, { issuer: 'privy.io', audience: 'your-privy-app-id' }); return payload; } catch (error) { console.error('Token verification failed:', error); throw new Error('Authentication failed'); }}