Verification

The Memberstack Admin Package provides essential verification functionality for secure server-side operations, including token verification and webhook validation. These features are crucial for maintaining security in your Memberstack implementation.

Before You Start

  • Make sure you've initialized the Admin Package with your secret key as shown in the Quick Start guide
  • For webhook verification, you'll need your webhook secret from the Memberstack dashboard
  • Understanding of JWT tokens is helpful for token verification

Verify Member Token

Validate a member's JWT token and access the payload.

The verifyToken() method allows you to validate Memberstack JWT tokens and extract member information:

Token Verification Response:

Token Verification Parameters

  • Required:
    • token - The JWT token to verify (usually from Authorization header)
  • Optional:
    • audience - Your app ID for additional verification (recommended for enhanced security)
💡 Tip:

Best practices for token verification:

  • Always include audience validation when possible
  • Implement proper error handling for expired or invalid tokens
  • Check the token expiration time to handle near-expiry scenarios
  • Store the member ID from the token for database lookups

Implementing Authentication Middleware

Here's an example of how to create an Express.js middleware for authenticating member requests:

Common Token Issues

  • Expired tokens: The token has passed its expiration time and is no longer valid
  • Invalid signature: The token has been tampered with or was created with a different key
  • Audience mismatch: The token was issued for a different application than expected
  • Format errors: The token is malformed or doesn't follow JWT standards

Verify Webhook Signature

Ensure webhook payloads are authentic and haven't been tampered with.

Memberstack uses Svix under the hood for secure webhook delivery. This section explains how to properly verify incoming webhook requests to ensure they are legitimate and haven't been tampered with.

⚠️ Important:

Important Header Information: Memberstack webhook verification requires specific headers that are sent with each webhook request:

  • svix-id - Unique identifier for the webhook event
  • svix-timestamp - When the webhook was sent
  • svix-signature - The cryptographic signature for verification

Always use these exact header names in your verification code. Previous header formats (like ms-webhook-id) are no longer supported.

Basic Verification Example

Here's how to verify a webhook signature in an Express.js application:

💡 Tip:

Common Verification Issues:

  • Use express.raw() - Not express.json() for the webhook endpoint
  • Preserve the raw body - Modifying the body before verification will cause signature failure
  • Header case sensitivity - Headers may be lowercased by some frameworks; check case sensitivity
  • Correct webhook secret - Make sure you're using the correct webhook secret from your dashboard
  • Parse JSON after verification - Only parse the JSON payload after verifying the signature

Troubleshooting Header Errors

If you encounter the error "Please provide the svix-id, svix-timestamp, and svix-signature headers", follow these steps:

Header Troubleshooting

  1. Debug the headers you're receiving:
  2. Check for case transformations: Some frameworks convert headers to lowercase. Try:
  3. Pass headers object directly: Some frameworks may allow access to the raw headers:

Next.js API Route Example

For Next.js API routes, you'll need to disable the built-in body parsing:

Webhook Security Best Practices

  • Always verify the webhook signature to prevent spoofing
  • Implement idempotency using the webhook ID to prevent duplicate processing
  • Store webhook events in a queue to ensure reliable processing
  • Set up appropriate timeouts for webhook processing
  • Return 2xx status codes promptly to acknowledge receipt (even if processing continues asynchronously)
  • Rotate webhook secrets periodically for enhanced security

Finding Your Webhook Secret

To get your webhook secret:

  1. Log in to your Memberstack dashboard
  2. Navigate to "DevTools" > "Webhooks"
  3. Find or create your webhook endpoint
  4. Copy the "Signing Secret" value

Store this secret securely in your environment variables, not in your code.

Common Use Cases

Practical examples for implementing token verification.

Express.js Authentication Middleware

Here's an example of creating a reusable middleware for authenticating requests in an Express.js application:

Next.js API Route Protection

Here's how to protect API routes in a Next.js application:

Permission-Based Access Control

Implement role-based or permission-based access control by combining token verification with member data:

Next Steps

Now that you understand token verification, you might want to explore:

Need Help?

Having trouble getting your login working? We're here to help!

Join our Slack Community → Find a Memberstack Expert → Search the Help Center →

Thank you for choosing Memberstack 🙏