Validate a JWT
This API is used to validate a JSON Web Token. A valid JWT indicates the signature is valid and the payload has not be tampered with and the token is not expired.
You can also validate a JWT without using this API call. To do so, validate the JWT attributes and signature locally. Many programming languages have libraries to do this. Here's an example in Java.
Request#
OpenAPI Spec
The access token can be provided to the API using an HTTP request header, or a cookie. The response body will contain the decoded JWT payload.
Request Headers#
AuthorizationStringoptionalThe encoded JWT to validate sent in on the Authorization request header.
The header is expected be in the following form: Authorization: Bearer [encoded_access_token].
See Authentication for additional examples.
Request Cookies#
access_tokenStringoptionalThe encoded JWT. This cookie is written to the client by the Login API.
Response Codes
| Code | Description |
|---|---|
| 200 | The request was successful. The response will contain a JSON body. |
| 401 | The access token is not valid. A new access token may be obtained by authentication against the Login API, the Token Endpoint or by utilizing a Refresh Token. |
| 500 | There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty. |
Response Body#
jwtObjectThe decoded JWT payload. The payload contains the identity claims for the user.
Example Response JSON
{
"jwt": {
"applicationId": "3c219e58-ed0e-4b18-ad48-f4f92793ae32",
"exp": 1487975407000,
"iat": 1487971807000,
"iss": "acme.com",
"roles": [
"admin"
],
"sub": "858a4b01-62c8-4c2f-bfa7-6d018833bea7"
}
}