← Lessons

quiz vs the machine

Gold1470

System Design

JWT Validation

Verifying signed tokens correctly so attackers cannot forge or replay them.

5 min read · core · beat Gold to climb

A self contained token

A JSON Web Token carries claims in a payload, signed so the server can trust it without a database lookup. That power is also the danger: if validation is sloppy, forged tokens pass.

What you must verify

  • Signature using the expected key, so the token was issued by a trusted party.
  • Algorithm pinned to the expected one, rejecting tokens that claim a weaker or none algorithm.
  • Issuer and audience match your service, so a token for another system is rejected.
  • Expiry is in the future, so old tokens cannot be replayed forever.

Common mistakes

The classic flaw is trusting the algorithm field in the token itself, which lets an attacker downgrade verification. Always pin the algorithm server side. Also remember that a valid signature does not mean the token is still valid; check expiry and revocation separately.

Key idea

Validate a JWT by verifying its signature with a pinned algorithm and checking issuer, audience, and expiry, never trusting the token to choose its own algorithm.

Check yourself

Answer to earn rating on the learn ladder.

1. Why must you pin the signing algorithm server side?

2. Beyond a valid signature, what else must be checked?