Hi Xano Community,
I'm working on integrating Xano authentication with my Next.js frontend. My goal is to verify the JWT access token (generated by the standard /auth/login endpoint using the Create Authentication Token function) within my Next.js middleware using the jose library. I'm assuming the default signing algorithm used by Create Authentication Token is HS256, as seems common.
To verify the JWS signature, I need the secret key used by Xano for signing. In my Workspace Environment Variables, I've found two potentially relevant keys:
magic_jwt_secret: This seems related to the Magic Link functionality (which often uses JWE for encryption).
JWE_SECRET_KEY: This clearly seems intended for JWE encryption/decryption, and I have its value (JWK format with kty: "oct").
My main questions are:
Which environment variable holds the secret key used by the standard Create Authentication Token function for signing JWS tokens (presumably with HS256)? Is it indeed magic_jwt_secret even though the name suggests Magic Link/JWE?
I'm currently unable to reveal the value of magic_jwt_secret in the Workspace Settings -> Manage Environment Variables UI. Clicking the crossed-out eye icon doesn't show the value (I am the workspace owner/admin). Is this expected behavior, a potential UI bug, or could there be another reason I can't view it? How can I reliably obtain this secret's value?
If neither of these variables is the correct one for standard JWS (HS256) signing, where should I look for the secret key used by Create Authentication Token?
My specific use case requires verifying the signature of the standard access token in my Next.js backend/middleware, so getting the correct HS256 signing secret is crucial.
Thanks in advance for any clarification or guidance!