Phonelink

phonelink/validate

API reference for the Phonelink server-side token verification.

Exports

The phonelink/validate entry point exports the following:

ExportTypeDescription
validatefunctionVerifies a Phonelink JWT token
PhonelinkPayloadtypeTypeScript type for the decoded JWT payload

validate(token, expectedNonce, expectedAud)

Verifies a Phonelink JWT token against the JWKS endpoint.

Parameters

ParameterTypeDescription
tokenstringThe JWT returned from the client verification flow
expectedNoncestringThe nonce returned alongside the token, for replay protection
expectedAudstringYour Phonelink client ID (must match the token's aud claim)

Returns

Promise<PhonelinkPayload>

Resolves with the verified payload on success.

Throws

ErrorCause
JWSSignatureVerificationFailedJWT signature does not match the JWKS keys
JWTClaimValidationFailedIssuer is not https://phone.link, or audience doesn't match expectedAud
JWTExpiredToken has expired
Error("Nonce mismatch")payload.nonce does not equal expectedNonce
Error("Phone number not verified")payload.verified is not true

Validation steps

  1. Fetches the public keys from https://phone.link/.well-known/jwks.json (cached automatically)
  2. Verifies the JWT signature
  3. Checks the iss claim equals https://phone.link
  4. Checks the aud claim equals expectedAud
  5. Checks the token has not expired
  6. Checks payload.nonce equals expectedNonce
  7. Checks payload.verified is true

PhonelinkPayload

TypeScript interface for the decoded JWT payload returned by validate.

PropertyTypeDescription
phone_e164stringVerified phone number in E.164 format (e.g. "+14155551234")
verifiedbooleanWhether the phone number was successfully verified
methodstringVerification method used (e.g. SMS, voice call)
providerstringVerification provider that handled the verification
noncestringCryptographic nonce for replay protection
substringSubject identifier for the verification session
issstringToken issuer (always "https://phone.link")
audstringAudience (your Phonelink client ID)
iatnumberUnix timestamp (seconds) when the token was issued
expnumberUnix timestamp (seconds) when the token expires
jtistringUnique identifier for this specific token
import type { PhonelinkPayload } from "phonelink/validate";

phonelink/web

API reference for the Phonelink web client.

phonelink/expo

API reference for the Phonelink Expo/React Native client.

On this page

Exportsvalidate(token, expectedNonce, expectedAud)ParametersReturnsThrowsValidation stepsPhonelinkPayload