Offline verification

Offline verification of a Google‑issued JWT means checking its authenticity entirely on the client side, without making a network request to Google during the process. First, the client fetches Google’s public JWK set (a JSON Web Key list) from https://www.googleapis.com/oauth2/v3/certs; this can be cached and refreshed periodically. Using the RS256 algorithm, the client parses the JWT’s header to locate the key identifier (kid), selects the matching public key from the JWK set, and then verifies the signature over the base64-url-encoded header and payload.

In our case, the verification is performed as a ZK proof run by a smart contract in Cardano.