Validate a JWT Token — Quickstart

Learn the difference between decoding and verifying, and implement proper JWT validation in your API.

Steps

  1. 1

    Understand that jwt.decode() only reads claims — jwt.verify() checks the signature.

  2. 2

    Always pass algorithms: ['HS256'] explicitly to prevent algorithm confusion attacks.

  3. 3

    Validate exp, and set iss and aud claims for production APIs.

  4. 4

    Use the JWT Validator tool during development to debug failing tokens.

  5. 5

    Implement auth middleware that rejects missing, expired, or invalid tokens with 401.

Validate JWT Token

Related Articles

Frequently Asked Questions

Why does my token fail verification?

Common causes: wrong secret, expired exp claim, whitespace in secret, or algorithm mismatch.

Should I verify on every request?

Yes. Every protected endpoint must verify the token before trusting any claim.