Verifies Solid OIDC access tokens via their webid claim, and thus asserts ownership of a WebID.

Usage no npm install needed!

<script type="module">
  import solidAccessTokenVerifier from 'https://cdn.skypack.dev/@solid/access-token-verifier';


Solid OIDC Access Token Verifier

Project Solid Test workflow npm package

This library verifies Solid OIDC access tokens via their webid claim, and thus asserts ownership of a WebID.

It conforms to the Solid OIDC specification.

See also: Solid OIDC Primer Request Flow


  • DPoP Bound Access Tokens
  • Bearer Access Tokens
  • Caching of:
    • WebID Identity Providers
    • Identity Providers JSON Web Key Sets
    • A minimalistic version of DPoP tokens identifiers to mitigate replays otherwise mostly mitigated by the 60 seconds maximum DPoP Token age, should be improved to take a configurable max requests per seconds to avoid overflow of cache before replay. But de facto, if someone really wanted to mitigate this attack, they should plug a cache that can support high numbers of requests. Someone could easily overflow a lru cache by logging lots of requests as themselves before replaying the token. That is if the server can answer fast enough...
  • Custom Identity Verification Classes to extend to specific caching strategies if needed

How to?

Verify Solid Access Tokens with a simple function:

import type { RequestMethod, SolidTokenVerifierFunction } from '@solid/access-token-verifier';
import { createSolidTokenVerifier } from '@solid/access-token-verifier';

const solidOidcAccessTokenVerifier: SolidTokenVerifierFunction = createSolidTokenVerifier();

try {
  const { client_id: clientId, webid: webId } = await solidOidcAccessTokenVerifier(
    authorizationHeader as string,
      header: dpopHeader as string,
      method: requestMethod as RequestMethod,
      url: requestURL as string

  console.log(`Verified Access Token via WebID: ${webId} and for client: ${clientId}`);

  return { webId, clientId };
} catch (error: unknown) {
  const message = `Error verifying Access Token via WebID: ${(error as Error).message}`;


  throw new Error(message);

The solidOidcAccessTokenVerifier function takes an authorization header which can be an encoded Bearer or DPoP bound access token and optional DPoP parameters.