FluxyAPIFluxyAPI
BlocksTokens & Crypto

Verify JWT

Validate a JSON Web Token and extract its payload.

The Verify JWT block checks if a provided JSON Web Token (JWT) is valid and hasn't been tampered with. If valid, it extracts the data (payload) stored inside the token.

Configuration

FieldRequiredDescription
SecretThe project secret used to verify the token's signature.
JWTThe token string to verify (e.g., from a request header).
Token VariableThe name of the variable that will store the decoded payload object.
Braced Variables

To access the token from a header, use {request.headers.authorization}.

Error Handling

  • JWT_VERIFY_SECRET_MISSING — Triggered when no secret is selected.
  • JWT_VERIFY_TOKEN_MISSING — Triggered when the JWT input is empty.
  • JWT_VERIFY_VAR_MISSING — Triggered when the output variable name is missing.
  • JWT_VERIFY_SECRET_RETRIEVE_ERROR — Triggered if the selected secret cannot be loaded.
  • JWT_TOKEN_EXPIRED — Triggered if the token's expiration time (exp) has passed.
  • JWT_TOKEN_NOT_BEFORE — Triggered if the token is not yet valid (nbf claim).
  • JWT_INVALID_SIGNATURE — Triggered if the token was signed with a different secret or tampered with.
  • JWT_MALFORMED — Triggered if the token format is invalid.
  • JWT_INVALID_AUDIENCE — Triggered if the audience (aud claim) is invalid.
  • JWT_INVALID_ISSUER — Triggered if the issuer (iss claim) is invalid.
  • JWT_VERIFY_RUNTIME_ERROR — Triggered for other verification failures.

Example: Protecting an Endpoint

Verify a token sent in the Authorization header to identify the calling user.

  1. Secret: Select the same APP_JWT_SECRET used for signing.
  2. JWT: Set to {request.headers.authorization} (or use a substring block to remove "Bearer ").
  3. Token Variable: Enter decoded_user.
  4. Result: If valid, {decoded_user} will contain the original payload:
    {
      "user_id": "123",
      "role": "admin"
    }

You can then access the user ID via {decoded_user.user_id} in later blocks.

On this page