Overview
This node verifies the signature of a JWT (JSON Web Token) and validates its claims using a JWKS (JSON Web Key Set) endpoint. It is useful in scenarios where you need to authenticate or authorize requests based on JWT tokens, such as API gateways, microservices, or any system that relies on JWT for secure communication.
Typical use cases include:
- Validating access tokens received from clients.
- Ensuring tokens are issued by trusted issuers and intended for your audience.
- Checking token expiration and other standard claims.
- Enforcing custom claim validations for fine-grained access control.
For example, you might use this node to verify an OAuth2 access token before processing a request or to validate a JWT passed in an HTTP header or JSON payload.
Properties
| Name | Meaning |
|---|---|
| Token Source | Where to extract the JWT token from. Options: Authorization Header, JSON Field, Raw String. |
| Header Name | Name of the HTTP header containing the token (used if Token Source is Authorization Header). |
| Field Name | Name of the JSON field containing the token (used if Token Source is JSON Field). |
| Token | Raw JWT token string (used if Token Source is Raw String). |
| Additional Options | Collection of optional settings: |
| - Validate Claims | Whether to validate standard claims like expiration (exp), not before (nbf), issued at (iat). |
| - Custom Claims | List of custom claims to validate with expected values and match types (exact, contains, regex). |
| - Include Token Header | Whether to include the JWT header part in the output. |
| - Pass Through Original Data | Whether to pass through the original input data alongside verification results. |
Output
The node has two outputs:
Valid (first output): Items with successfully verified JWTs.
json.valid:truejson.payload: The decoded JWT payload (claims).json.header(optional): The JWT header if "Include Token Header" is enabled.json.originalData(optional): The original input data if "Pass Through Original Data" is enabled.
Invalid (second output): Items where verification failed.
json.valid:falsejson.error: Error message describing why verification failed.json.originalData(optional): The original input data if "Pass Through Original Data" is enabled.
No binary data is output by this node.
Dependencies
- Requires a JWKS URL credential to fetch public keys for verifying JWT signatures.
- Needs network access to retrieve the JWKS from the configured URL.
- Uses the
joselibrary internally for JWT verification. - Requires configuration of expected issuer, audience, allowed algorithms, and optionally clock tolerance and required claims via credentials or additional options.
Troubleshooting
- No token found: Occurs if the token cannot be extracted from the specified source. Check that the correct header name, JSON field, or raw token string is provided.
- Invalid JWKS response: Happens if the JWKS endpoint does not return a valid keys array. Verify the JWKS URL and its accessibility.
- JWT verification errors: Could be due to invalid signature, expired token, incorrect issuer/audience, or claim validation failures. Review the error message for details.
- Network errors fetching JWKS: Ensure the node can reach the JWKS URL and that any required authentication is configured.
- If custom claims validation fails, check that claim names, expected values, and match types are correctly set.