Validate a JWT

This API is used to validate a JSON Web Token. A valid JWT indicates the signature is valid and the payload has not be tampered with and the token is not expired.

You can also validate a JWT without using this API call. To do so, validate the JWT attributes and signature locally. Many programming languages have libraries to do this. Here's an example in Java.

Request#

No Authentication Required
Validate Access Token.
GET/api/jwt/validate
OpenAPI Spec

The access token can be provided to the API using an HTTP request header, or a cookie. The response body will contain the decoded JWT payload.

Request Headers#

AuthorizationStringoptional

The encoded JWT to validate sent in on the Authorization request header.

The header is expected be in the following form: Authorization: Bearer [encoded_access_token].

See Authentication for additional examples.

Request Cookies#

access_tokenStringoptional

The encoded JWT. This cookie is written to the client by the Login API.

Response Codes

CodeDescription
200The request was successful. The response will contain a JSON body.
401The access token is not valid. A new access token may be obtained by authentication against the Login API, the Token Endpoint or by utilizing a Refresh Token.
500There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty.

Response Body#

jwtObject

The decoded JWT payload. The payload contains the identity claims for the user.

Example Response JSON

{
  "jwt": {
    "applicationId": "3c219e58-ed0e-4b18-ad48-f4f92793ae32",
    "exp": 1487975407000,
    "iat": 1487971807000,
    "iss": "acme.com",
    "roles": [
      "admin"
    ],
    "sub": "858a4b01-62c8-4c2f-bfa7-6d018833bea7"
  }
}