@Michael_Ragalie I’ve finally gotten around to playing around with this and I have a question. I found the npm library which seems to work well (thank you Leigh Barnes).
However, there’s part of my app’s server that will be hosted on Google Apps Script and I have to manually decode and verify the JWT there. When I do:
var byteSignature = Utilities.computeHmacSha256Signature(<header>.<payload>, 'sshhh');
var signed = Utilities.base64EncodeWebSafe(byteSignature);
signed equals the from the JWT, except signed has an extra = padding character(s) at the end. It seems all the Apps Script methods for Base64Encode will pad it. Is it safe to just drop any padding = characters for the purposes of the boolean comparison? Or is there a different / better way?