# Identity Validation

If you have called 'Fetch M2 Web Platform Delegated Auth Token' and passed into HTTP blueprint nodes, your request to web servers will contain a token that can be used to prove the sender is either a logged-in client, or the game server.

<figure><img src="/files/3AclBSBMeExphci947d8" alt=""><figcaption></figcaption></figure>

This JWT is very short-lived (expiry \~5 minutes) and is designed to prove the identity of the caller as having come from the MSquared platform.

The token has the following payload for clients:

```
{
  "scopes": [],
  "user_id": "<userid>",
  "iat": 1717077960,
  "iss": "<issuer>:auth",
  "exp": 1717078260,
  "aud": [
    "<aud>"
  ]
}
```

And the following payload for the game server:

{% hint style="warning" %}
Unreal Servers only support 'World' scope of tokens, other types will not be generated
{% endhint %}

```
{
  "scopes": [],
  "client_type": "ue_server",
  "iat": 1717077960,
  "iss": "<issuer>:auth",
  "exp": 1717078260,
  "aud": [
    "<aud>"
  ]
}
```

{% hint style="danger" %}
The `client_type` claim being set to `ue_server` **does not mean that the requester is trustworthy.**

This claim will have the same value in delegated auth tokens for local and user-generated worlds.

Some additional gating is **strongly recommended** when relying on this claim, e.g. checking the project ID claim as well.
{% endhint %}

The JWT token header will contain a key id claim `(kid)` which can be used to validate the token using the JWKS published at <https://admin.m2worlds.io/.well-known/jwks.json>

The token can be validated using any JWT validation library, for example [jose](https://github.com/panva/jose) for JavaScript/Typescript users.

The current issuer in use is `scarcely-calm-lark:auth` and the audience is `scarcely-calm-lark`

```typescript
import * as jose from 'jose'

const JWKS = jose.createRemoteJWKSet(new URL('https://admin.m2worlds.io/.well-known/jwks.json'))
const { payload, protectedHeader } = await jose.jwtVerify(jwt, JWKS, {
  issuer: 'scarcely-calm-lark:auth',
  audience: 'scarcely-calm-lark',
})
```

If the token validates successfully, you can use the `user_id` or `ue_server` claim to identify the caller.

If you specified a scope in the request, then your token will contain additional claims depending on the scope. For example, if you requested world scope for a user:

```
{
  "scopes": [],
  "user_id": "<userid>",
  "organization_id": "<orgid>",
  "project_id": "<projectid>",
  "world_id": "<worldid>",
  "iat": 1717077960,
  "iss": "<issuer>:auth",
  "exp": 1717078260,
  "aud": [
    "<aud>"
  ]
}
```

It is recommended that you verify the tokens contain the organization, project and world claims you expect.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.otherside.xyz/platform-documentation/creation/unreal-development/features-and-tutorials/web-services/validating-identity.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.