Secure an Internal API Gateway with Token Validation

Problem/Feature Description

A platform engineering team is building an internal API gateway in Fastify that sits in front of several microservices. Tokens for this gateway are issued by a third-party identity provider (the company uses Auth0). The team needs a reusable request hook that validates incoming bearer tokens on every protected request, rejecting expired or tampered tokens before they ever reach the service handlers.

In addition, since sessions can last days, the gateway must support access token refresh. The identity provider supports refresh token rotation — meaning each refresh call may return a new refresh token, and the old one becomes invalid immediately. The token refresh utility must handle this correctly to avoid locking users out.

Environment variables available at runtime: JWT_PUBLIC_KEY (PEM-encoded public key from the identity provider), EXPECTED_ISSUER, EXPECTED_AUDIENCE.

Output Specification

Produce the following files for a TypeScript Fastify project:

• hooks/verifyToken.ts — the token verification hook used to guard routes
• routes/api.ts — at least one protected route that uses the hook (e.g. a /me endpoint returning the token subject)
• utils/tokenRefresh.ts — the refresh token utility function

The code should be ready to drop into a Fastify project. Do not include actual key material — read everything from environment variables.