JWT Auth icon

JWT Auth

Sign, decode, verify, and validate JWT tokens

Actions4

Overview

This node provides functionality to work with JWT (JSON Web Tokens) tokens, specifically focusing on the Validate operation in this context. The Validate operation checks the structure and claims of a JWT token without verifying its cryptographic signature. It ensures that the token is well-formed (three parts separated by dots), validates standard claims such as expiration (exp) and not-before (nbf), and confirms the presence of any user-specified required claims.

Common scenarios where this node is beneficial include:

  • Quickly checking if a JWT token is structurally valid before deeper processing.
  • Validating token claims like expiration or required fields without needing access to the signing key.
  • Pre-filtering tokens in workflows where signature verification might be done later or externally.

Practical example:

  • A workflow receives JWT tokens from various sources and needs to discard expired or malformed tokens early.
  • An API gateway uses this node to validate incoming tokens’ claims before routing requests.

Properties

Name Meaning
Token Source Where to extract the JWT token from. Options:
• Authorization Header (Bearer token)
• JSON Field (specific JSON field supporting dot notation)
• Raw String (directly provide the raw JWT token string)
Header Name Name of the HTTP header containing the token (used if Token Source is Authorization Header). Default: authorization
Field Name JSON field path containing the token (supports dot notation, used if Token Source is JSON Field). Default: token
Token Raw JWT token string (used if Token Source is Raw String)
Clock Tolerance (seconds) Number of seconds to allow as clock skew when validating exp (expiration) and nbf (not before) claims. Default: 5
Ignore Expiration Whether to ignore the token’s expiration claim during validation. Default: false
Ignore Not Before Whether to ignore the token’s not-before claim during validation. Default: false
Required Claims Comma-separated list of claims that must be present in the token for it to be considered valid (e.g., sub,email,scope).
Pass Through Whether to pass through the original input data along with the validation result. Default: true

Output

The node outputs two streams:

  • Success output: For each input item, an object containing:

    • valid: Always true if validation passes.
    • payload: The decoded JWT payload (claims).
    • header: The decoded JWT header.
    • note: A message indicating that the structure and claims were validated but the signature was NOT verified.

  • Error output: If validation fails (e.g., no token found, invalid structure, expired token, missing required claims), an error object is output containing:

    • error: Error message describing the failure.
    • operation: The operation name (validate).
    • itemIndex: Index of the input item that caused the error.
    • Optionally, the original input data if Pass Through is enabled.

The node does not output binary data.

Dependencies

  • Requires the external jose library for JWT decoding and claim extraction.
  • Uses internal helper utilities for extracting tokens from headers, JSON fields, or raw strings.
  • No external API calls are made during validation since signature verification is skipped.
  • No special credentials or environment variables are needed for the Validate operation.

Troubleshooting

  • No token found: Occurs if the token cannot be extracted from the specified source. Check that the correct header name, JSON field path, or raw token string is provided.
  • Invalid JWT structure: The token must have exactly three parts separated by dots. Ensure the token is correctly formatted.
  • Token expired: The token’s exp claim indicates it is expired. Either wait for a new token or enable "Ignore Expiration" if appropriate.
  • Token not valid yet: The token’s nbf claim indicates it is not yet valid. Adjust system clocks or enable "Ignore Not Before" if necessary.
  • Missing required claims: The token does not contain all claims specified in the Required Claims property. Verify the token contents or adjust the required claims list.
  • Pass Through issues: If enabled, original input data is included in outputs; if disabled, only validation results are output. Choose based on downstream workflow needs.

Links and References

Discussion