Validate a JWT Token — Quickstart
Learn the difference between decoding and verifying, and implement proper JWT validation in your API.
Steps
- 1
Understand that jwt.decode() only reads claims — jwt.verify() checks the signature.
- 2
Always pass algorithms: ['HS256'] explicitly to prevent algorithm confusion attacks.
- 3
Validate exp, and set iss and aud claims for production APIs.
- 4
Use the JWT Validator tool during development to debug failing tokens.
- 5
Implement auth middleware that rejects missing, expired, or invalid tokens with 401.
Related Articles
Frequently Asked Questions
Why does my token fail verification?
Common causes: wrong secret, expired exp claim, whitespace in secret, or algorithm mismatch.
Should I verify on every request?
Yes. Every protected endpoint must verify the token before trusting any claim.