Okta has created a simplified Node library to make this easy for Okta applications, Okta JWT Verifier. Below is an example that shows you how to validate access tokens for a specific Okta authorization server (the issuer) and adds a secondary check for the audience of the token. To learn more about validating Okta access tokens, please see Validating Access Tokens.

const OktaJwtVerifier = require('@okta/jwt-verifier');

const oktaJwtVerifier = new OktaJwtVerifier({
  issuer: 'http://{your-okta-org-url}/oauth2/default',
  assertClaims: {
    aud: 'api://default'

// The access token string, which should be obtained from the Authorization header on the request to your server
const accessTokenString = 'eyJhbGciOiJSUzI1NiIsImtpZCI6Imk2UnRjSkxvbUg0e...';

  .then(jwt => {
    // the token is valid
  .catch(err => {
    // a validation failed, inspect the error