Security News
Socket Security Analysis Is Now One Click Away on npm
npm now links to Socket's security analysis on every package page. Here's what you'll find when you click through.
By Sarah Gooding - Feb 19, 2026
New: Introducing PHP and Composer Support.Read the Announcement →
@solid/identity-token-verifier
Advanced tools
@solid/identity-token-verifier
Verifies Solid access tokens via their WebID claim, and thus asserts ownership of WebIDs.
Solid Token Verifier
This library verifies Solid access tokens via their WebID claim, and thus asserts ownership of WebIDs.
It conforms to the Solid Identity specification.
See also: Solid OIDC Primer Request Flow
Supports
- DPoP Bound Access Tokens
- Bearer Access Tokens
- Caching of:
- WebID Identity Providers
- Identity Providers JSON Web Key Sets
- A minimalistic version of DPoP tokens identifiers to mitigate replays otherwise mostly mitigated by the 60 seconds maximum DPoP Token age, should be improved to take a configurable max requests per seconds to avoid overflow of cache before replay. But de facto, if someone really wanted to mitigate this attack, they should plug a cache that can support high numbers of requests. Someone could easily overflow a lru cache by logging lots of requests as themselves before replaying the token. That is if the server can answer fast enough...
- Custom Identity Verification Classes to extend to specific caching strategies if needed
How to?
Verify Solid Access Tokens with a simple function:
import type { RequestMethod, SolidTokenVerifierFunction } from '@solid/identity-token-verifier';
import { createSolidTokenVerifier } from '@solid/identity-token-verifier';
const solidTokenVerifier: SolidTokenVerifierFunction = createSolidTokenVerifier();
try {
const { client_id: clientId, webid: webId } = await solidTokenVerifier(
authorizationHeader as string,
{
header: dpopHeader as string,
method: requestMethod as RequestMethod,
url: requestURL as string
}
);
console.log(`Verified Access Token via WebID: ${webId} and for client: ${clientId}`);
return { webId, clientId };
} catch (error: unknown) {
const message = `Error verifying Access Token via WebID: ${(error as Error).message}`;
console.log(message);
throw new Error(message);
}
The solidTokenVerifier function takes an authorization header which can be an encoded Bearer or
DPoP bound access token and optional DPoP parameters.
TODO
- Further sanitation of inputs? For example a maximum authorization header size. Needs further discussions before resolution.
- Improve default caching? Assess other libraries that might be used.
- Evolve the type guards and the type guard library.
- Allow http over tls on all WebIDs instead of enforcing https as per: https://github.com/solid/authentication-panel/issues/114.
FAQs
Verifies Solid access tokens via their WebID claim, and thus asserts ownership of WebIDs.
The npm package @solid/identity-token-verifier receives a total of 140 weekly downloads. As such, @solid/identity-token-verifier popularity was classified as not popular.
We found that @solid/identity-token-verifier demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 15 open source maintainers collaborating on the project.
Package last updated on 15 Jan 2021
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
Cline CLI npm Package Compromised via Suspected Cache Poisoning Attack
A compromised npm publish token was used to push a malicious postinstall script in cline@2.3.0, affecting the popular AI coding agent CLI with 90k weekly downloads.
By Sarah Gooding - Feb 18, 2026
Product
Socket Brings Supply Chain Security to skills.sh
Socket is now scanning AI agent skills across multiple languages and ecosystems, detecting malicious behavior before developers install, starting with skills.sh's 60,000+ skills.
By Wenxin Jiang, Alexandros Kapravelos - Feb 17, 2026