Как проверить jwt токен на валидность
Перейти к содержимому

Как проверить jwt токен на валидность

  • автор:

React — How to check if JWT is valid before sending a post request?

another noob question. I’m logging in my user to the system using JWT authorization, getting the token and saving it in localstorage and then sending a post request that saves data (its a big form basically). Problem is, the sever is invalidating the token after a given time (20 minutes or so) and so, some of my post requests are returning 401 status . How to verify (and if needed, show a login prompt) before sending the post request? I’m using redux-form to make my forms.

P.S: I know I’m supposed to use action creators and such, but I’m still a newbie, so not very good at those stuff.

here’s my authentication:

and here’s the POST request (I’m getting the values object from redux-form )

How to Sign and Validate JSON Web Tokens – JWT Tutorial

Kris Koishigawa

Kris Koishigawa

How to Sign and Validate JSON Web Tokens – JWT Tutorial

A JSON Web Token, or JWT, is an open standard for securely creating and sending data between two parties, usually a client and a server.

If you’ve ever signed in to a site like freeCodeCamp with your Google or GitHub account, there’s a good chance that you’re already using a JWT.

In this article, we’ll go over how JWTs are used, then dig into what JWTs are, and how they can securely transmit data through the signature and validation process.

How JWTs Are Used

JWTs are usually used to manage user sessions on a website. While they’re an important part of the token based authentication process, JWTs themselves are used for authorization, not authentication.

Here’s a good overview of how token based authentication works:

A diagram showing the flow for token based authentication with JWT.


When you sign in to a site with a username and password, or with a third party method like Google, you’re proving who you are with those sensitive details or access. This process is called authentication.

Once you’re signed in, the site’s server sends back a JWT that allows you access to things like your settings page, shopping cart, and so on. This process is called authorization.

You send your JWT to the server with each request. When the server receives it, it generates a signature using using some data from your JWT, verifies it, and if your JWT is valid, it sends back a response.

What are JWTs?

At their core, JWTs are just bits of encoded JSON data with a cryptographic signature at the end.

Here’s an example of a JWT:

Each JWT is made up of three segments, each separated by a dot ( . ). These three segments are the header, payload, and signature.

If you copy and paste that JWT into the JWT.io Debugger, you can see the decoded versions of those three segments.

Header Segment

The header segment of a JWT contains information about the algorithm and token type.

Here’s the header segment of the example JWT token above:

The header segment is base 64 URL encoded, and decodes to the following JSON object:

«alg» is the type of algorithm used in the last segment, the cryptographic signature. In this case, the HMAC SHA256 algorithm is used, though RSA is also common.

«typ» is the type of token the segmented string is, which in this case is JWT.

Payload Segment

The payload segment of a JWT contains registered claims or identifying information, usually for a user.

Here’s the payload segment of the example JWT token above:

The payload segment is also base 64 URL encoded, and decodes to the following JSON object:

Since JWTs are usually used as part of the authentication method for sites, the payload segment usually contains identifying information for a user. These claims fall into three categories: registered, public, and private.

Registered claims are a set of predefined claims defined here that are optional, but recommended when using JWTs.

Public claims are optional claims, usually from the IANA JSON Web Token Registry.

Private claims are optional, and are any claims that don’t fall under the registered or public claims categories.

«sub» is the subject of the JWT, and is usually a unique identifying string for a user in an application, usually an email address, username, or id. Subjects are registered claims.

«name» is the full name of the user who was issued the JWT, and is a public claim.

«iat» is the «issued at» date for the token, and is a registered claim.

Signature Segment

The signature segment of a JWT contains the cryptographic signature of the token.

Here’s the signature segment of the example JWT token above:

The signature segment is made up of the base 64 URL encoded header and payload segments, a secret (usually the contents of a key in a signing algorithm), and hashed using the algorithm defined in the header segment:

The signature helps ensure that the data in the header and payload segments haven’t been tampered with, and the JWT can be trusted.

However, it’s important to note that the cryptographic signature at the end of the JWT is just for validation. It doesn’t encrypt any data in the header or payload segments of the token. So you should never send sensitive information like a user’s password in a JWT – everything in the header and payload can and should be public.

How to Validate JWT Signatures

The exact method for validating a signature depends on the algorithm defined in the header segment and used to generate the signature itself.

For the HS256 signing algorithm, a private key is shared between two entities, say your application’s server and an authentication server. This private key is used both to generate signatures for outgoing JWTs, and to validate signatures from incoming JWTs.

When your authentication server receives an incoming JWT, it uses the incoming JWT’s header and payload segments and the shared private key to generate a signature.

If the signature matches, then your application knows that the incoming JWT can be trusted.

Another popular signing algorithm is RS256, which uses public and private key pairs to validate signatures. This is similar to the system used for SSH and SSL.

If you’d like to read more about how RS256 works, check out this article:


Other Helpful Tutorials

If you’d like to learn more about JWTs and how to use them in applications, check out these tutorials:



Thanks for Reading

If you found this article on JWTs helpful, consider sharing it so more people can benefit from it.

How To Validate a JWT Token

Muhammad Danyal

JWT stands for JSON Web Token. It is a security validation mechanism widely used now a day. JWT is basically a string of random alphanumeric characters. There are three parts of a JWT separated by dots, header, payload, and signature. A JWT looks like this

What do I need to validate?

You see why it’s called JSON web token. It is composed of JSON objects, which are base64url-encoded and joined together as a string separated by dots. Anyone in possession of JWT can decode it and see the content. JWT tokens are digitally signed (the signature part) using the payload content and a secret key. In order to change the content, the secret key is required to generate the signature again, otherwise, the signature will be invalid. When a token is posted to the server, it must be validated to check if anyone has tempered the token or not. Lack of proper validation can cause serious security issues and here we will see how to properly validate a JWT.

In order to validate a JWT, you must know the content of JWT.


The contents of the Header describe the cryptographic operations to the JWT data. This means that the header contains the information about the type of the token and the algorithm used to generate the signature (yes there are more than one and we will discuss most commonly used). So in the example header, we have a JSON object which contains a type property ‘typ’ and the algorithm property ‘alg’ whose value is the algorithm used to generate the signature. They type property says that it is a JWT token, which is our very first check to validate if the value is JWT or something else. This property is optional but since we are discussing all the possible options to be secure, we can check if this property is available, its value should be JWT. Another property “cty” (content type) is used to convey structural information about the JWT.


The payload is the central part of the JWT which contains verifiable security statements, such as the identity of the user and the permissions they are allowed. The payload information is also referred to as Claims. There are three classes of JWT Claim Names:

1. Registered Claim Names

2. Public Claim Names

3. Private Claim Names

Registered claims are the predefined claims. Public claims can be any user defines information and private claims are the ones upon which producer and consumer of JWT are agreed to use some special or private claims.

In order to validate a JWT, we should check some registered claims as well. Some of the important registered claims are defined below.

“iss” (Issuer) Claim

The "iss" (issuer) claim identifies the principal that issued the JWT. The processing of this claim is generally application specific. The "iss" value is a case-sensitive string containing a URI value. The use of this claim is OPTIONAL. We should validate that the issuer is a valid URL or JWT is sent by out expected issuer.

"sub" (Subject) Claim

The "sub" (subject) claim identifies the principal that is the subject of the JWT. The claims in a JWT are normally statements about the subject. The "sub" value is a case-sensitive string containing a URI value. The use of this claim is OPTIONAL.

"aud" (Audience) Claim

The "aud" (audience) claim identifies the recipients that the JWT is intended for. Each principal intended to process the JWT MUST identify itself with a value in the audience claim. If the principal processing the claim does not identify itself with a value in the "aud" claim when this claim is present, then the JWT MUST be rejected. In the general case, the "aud" value is an array of case-sensitive strings, each containing a URI value. The use of this claim is OPTIONAL.

"exp" (Expiration Time) Claim

The "exp" (expiration time) claim identifies the expiration time on or after which the JWT MUST NOT be accepted for processing. The processing of the "exp" claim requires that the current date/time MUST be before the expiration date/time listed in the "exp" claim. Its value MUST be a number containing a timestamp value. The use of this claim is OPTIONAL.

"nbf" (Not Before) Claim

The "nbf" (not before) claim identifies the time before which the JWT MUST NOT be accepted for processing. The processing of the "nbf" claim requires that the current date/time MUST be after or equal to the not-before date/time listed in the "nbf" claim. Its value MUST be a number containing a Numeric Date value. The use of this claim is OPTIONAL.

"iat" (Issued At) Claim

The "iat" (issued at) claim identifies the time at which the JWT was issued. This claim can be used to determine the age of the JWT. Its value MUST be a number containing Numeric Date value. The use of this claim is OPTIONAL.

"jti" (JWT ID) Claim

The "jti" (JWT ID) claim provides a unique identifier for the JWT. The identifier value MUST be assigned in a manner that ensures that there is a negligible probability that the same value will be accidentally assigned to a different data object; if the application uses multiple issuers, collisions MUST be prevented among values produced by different issuers as well. The "jti" claim can be used to prevent the JWT from being replayed. The "jti" value is a case sensitive string. The use of this claim is OPTIONAL.


The third part of JWT is the signature. This is the most important part of JWT validation. As we have already seen that signature is generated using payload and a secret key, anyone who is in possession of this key can generate new tokens with valid signatures. you have to be sure that the data in that payload is legitimate and can be trusted (at least as much as you are sure your secret key is really secret).

Most commonly used crypto algorithms used for generating signature are

· HS256 algorithm, which is short for HMAC-SHA256

· RS256 signing algorithm, which is short for RSA-SHA256

HS256 (Symmetric Key encryption) involves a secret key that is shared between two parties. This secret key is used to encrypt the data and on the receiving end, the same key is used to decrypt the data. HS256 signatures are generated using a secret key which is validated at the receiving end (resource server). On the receiving end, using the payload and secret key signature are generated again and compared to the incoming signature part of the JWT. As only the authentication server and the resources server are in possession of the secret key, it is not possible to temper the JWT token, and that’s how we can check the validity of the JWT token.

Something is wrong here

A disadvantage of the HS256 algorithm is that the secret key needs to be accessible both when generating and validating tokens. For a monolithic application, this isn’t so much of a problem, but if you have a distributed system built out of multiple services running independently of each other or same cloud environment having multiple application nodes, you basically have to choose between two really bad options:

  • You can opt to have a dedicated service for token generation and verification. Any services that receive a token from a client need to make a call into the authentication service to have the token verified. For busy systems this creates a performance bottleneck on the authentication service.
  • You can configure the secret key into all the services that receive tokens from clients so that they can verify the tokens without having to make a call to the authentication service. But having the secret key in multiple locations increases the risk of it being compromised, and once it is compromised the attacker can generate valid tokens and impersonate any user in the system.

RS256 (Asymmetric Key encryption or Public Key encryption) involves two keys, a public key, and a private key. The private key is used to generate the signature whereas the public key is used to validate the signature. In this case the private key is only in possession of the authentication server who has generated the JWT token and we no longer need to distribute the private key. On the resource server we can validate the token by using the public key. Both keys are non-interchangeable, one can only be used to generate and other can only be used for validation.

JSON Web Key Set (JWKS)

One question arises that how we can get the public key. The JSON Web Key Set (JWKS) is a set of keys that contains the public keys used to verify any JSON Web Token (JWT) issued by the authorization. Most authorization servers expose a discovery endpoint, like https://YOUR_DOMAIN/.well-known/openid-configuration . You can use this endpoint to configure your application or API to automatically locate the JSON Web key set endpoint ( jwks_uri ), which contains the public key used to sign the JWT .

Be more secure

By applying all these things, your web security is rock solid. Here are some extra tips which you can apply to be more secure.

  1. Verify that the JWT contains at least one period ('.') character.
  2. Let the Encoded Header be the portion of the JWT before the first period ('.') character.
  3. Base64url decode the Encoded Header following the restriction that no line breaks, whitespace, or other additional characters have been used.
  4. Verify that the resulting octet sequence is a UTF-8-encoded of a completely valid JSON.

Finally, note that it is an application decision in which algorithms may be used in a given context. Even if a JWT can be successfully validated, unless the algorithms used in the JWT are acceptable to the application, it SHOULD reject the JWT.

Validate JSON Web Tokens

Read about JSON Web Tokens (JWTs) Auth0 uses for access, ID, and refresh tokens.

Review signing algorithms to understand what a signature is on a token.

Validate JWTs to make sure no one has tampered with them.

Use Auth0 SDKs, middleware, or one of the third-party libraries at JWT.io to validate JWTs.

Auth0 uses for secure data transmission, authentication, and authorization. Tokens should be parsed and validated in regular web, native, and single-page applications to make sure the token isn’t compromised and the signature is authentic. Tokens should be verified to decrease security risks if the token has been, for example, tampered with, misused, or has expired. validation checks the structure, claims, and signature to assure the least amount of risk.

To visually inspect a JWT, visit JWT.io or use the JWT Debugger Chrome Extension).

The JWT token signature is generated using a . While tokens can use multiple , Auth0 supports RS256, RSA encryption with SHA-256 hash function or HS256, HMAC message authentication code (MAC) with SHA-256. To learn more about Auth0’s recommended algorithm, read Signing Algorithms.

When validating a JWT, generally, the current hash value and the original hash value are parsed, or decoded, then compared to verify the token signature is authentic. All of our backend API quickstarts use SDKs that perform JWT validation and parsing for you.

Parse and validate

If you are not using one of our SDKs that perform JWT validation and parsing for you, you can parse and validate a JWT by:

Using any existing middleware for your web framework.

Choosing a third-party library from JWT.io.

Manually implementing the checks described in specification RFC 7519 > 7.2 Validating a JWT.

We strongly recommend that you use middleware or one of the existing open source third-party libraries to parse and validate JWTs. At JWT.io, you can find libraries for various platforms and languages, such as .NET, Python, Java, Ruby, Objective-C, Swift, and PHP.


Many web frameworks, such as ASP.NET Core, include JWT middleware that handles JWT validation. Typically, this is the best route to take because the middleware integrates well with the framework’s overall authentication mechanisms.

Third-party libraries

If you choose a third-party library, choose a library that supports the signing algorithm you selected when you registered your application or API with Auth0. Also, be aware that not all libraries validate all JWT claims. At JWT.io, you can see which validations each library supports (look for the green check marks).

Most third-party libraries implement one method to verify a JWT and build in various arguments to allow you to customize the verification. For example, if you are using Node.js and the node-jsonwebtoken library, then you would call the jwt.verify() method. This method supports an algorithms argument to allow you to customize your allowed algorithms (make sure you disallow none ), a secretOrPublicKey argument that you populate with either the secret or the RSA public key (depending on selected signing algorithm), and other input arguments that allow you to customize claim validation. If parsing fails, then the library returns a JsonWebTokenError error with the message jwt malformed , after which you must reject the associated request.

General recommendations for using third-party libraries:

For obtaining claims from JWT, use the verify() method to validate the claims and the signature. Avoid using the decode() method to validate a token, especially if it’s coming from a .

Carefully follow all instructions on how to use the chosen library. The library could rely on default values or settings that could create security risks.

Manually implement checks

We discourage doing manual JWT validation since it might be easy to improperly implement and miss some important details that will lead to serious security vulnerabilities. Most JWT libraries take care of JWT validation for you. Visit JWT.io to find a JWT library for your platform and programming language.

For instructions on how to manually validate a JWT, see RFC 7519. All Auth0-issued JWTs have a JSON Web Signature (JWS), meaning they are signed rather than encrypted.

Verify RS256-signed tokens

To visually verify RS256-signed tokens:

Go to the Settings view, and open Advanced Settings.

Go to the Certificates view, locate the Signed Certificate field, and copy the Public Key.

Navigate to the JWT.io website, locate the Algorithm dropdown, and select RS256.

Locate the Verify Signature section, and paste the Public Key you previously copied in place of the content in the field that begins with ——BEGIN PUBLIC KEY—— .

Добавить комментарий

Ваш адрес email не будет опубликован. Обязательные поля помечены *