BlocksTokens & Crypto
Verify JWT
Validate a JSON Web Token and extract its payload.
The Verify JWT block checks if a provided JSON Web Token (JWT) is valid and hasn't been tampered with. If valid, it extracts the data (payload) stored inside the token.
Configuration
| Field | Required | Description |
|---|---|---|
| Secret | ✅ | The project secret used to verify the token's signature. |
| JWT | ✅ | The token string to verify (e.g., from a request header). |
| Token Variable | ✅ | The name of the variable that will store the decoded payload object. |
Braced Variables
To access the token from a header, use {request.headers.authorization}.
Error Handling
JWT_VERIFY_SECRET_MISSING— Triggered when no secret is selected.JWT_VERIFY_TOKEN_MISSING— Triggered when the JWT input is empty.JWT_VERIFY_VAR_MISSING— Triggered when the output variable name is missing.JWT_VERIFY_SECRET_RETRIEVE_ERROR— Triggered if the selected secret cannot be loaded.JWT_TOKEN_EXPIRED— Triggered if the token's expiration time (exp) has passed.JWT_TOKEN_NOT_BEFORE— Triggered if the token is not yet valid (nbfclaim).JWT_INVALID_SIGNATURE— Triggered if the token was signed with a different secret or tampered with.JWT_MALFORMED— Triggered if the token format is invalid.JWT_INVALID_AUDIENCE— Triggered if the audience (audclaim) is invalid.JWT_INVALID_ISSUER— Triggered if the issuer (issclaim) is invalid.JWT_VERIFY_RUNTIME_ERROR— Triggered for other verification failures.
Example: Protecting an Endpoint
Verify a token sent in the Authorization header to identify the calling user.
- Secret: Select the same
APP_JWT_SECRETused for signing. - JWT: Set to
{request.headers.authorization}(or use a substring block to remove "Bearer "). - Token Variable: Enter
decoded_user. - Result: If valid,
{decoded_user}will contain the original payload:{ "user_id": "123", "role": "admin" }
You can then access the user ID via {decoded_user.user_id} in later blocks.
