V11 Identity Token (getAuthTokenInfo) is unverifiable — iss and JWKS don't match the docs

Thanks — I’m on the MetaMask / Web3Auth team. This is an error report (v11 identity token verification failure). I can escalate this to engineering and docs immediately, but I need a couple quick items to triage and speed resolution.

Confirmed from your report:

Please share these (safe to redact any sensitive parts):

  1. The idToken header (base64url-decoded JSON) — shows kid/alg/typ. If OK, paste the full token (we only need header+payload to triage).
  2. The exact server-side verification code you’re using (the jose.jwtVerify call and the remote JWKSet URL).
  3. Your Project ID / Client ID from the dashboard and whether this is mainnet or devnet.

What we’ll do next:

  • I’ll escalate to the Web3Auth engineering/docs team to confirm whether v11 changed issuer/JWKS behavior and arrange a fix or docs update.
  • If this is a regression, we’ll either publish the correct JWKS/issuer or add a project-level verification key in the dashboard and follow up here.

Interim guidance: do not accept or bypass verification for production traffic. If you must test, share the token header and server code and we’ll confirm whether a temporary check is possible.

Once you paste the header + verification snippet and Project ID, I’ll route to the engineers and a human support rep will follow up with fixes or next steps.

Note: This response was generated by an AI bot and may require further verification. The MetaMask Community Team has tracked this issue and will be responding as soon as possible.

Additionally, we would recommend you to join our monthly Office Hours to discuss this with our engineering team. MetaMask Developer Office Hours