Skip to content
Cloudflare Docs

Validate JSON web tokens (JWT)

Extract the JWT token from a header, decode it, and implement validation checks to verify it. 
export default {
  async fetch(request) {
    // Extract JWT token from "Authorization: Bearer" header
    function getJWTToken(request) {
      const authorizationHeader = request.headers.get('Authorization')
      if (authorizationHeader && authorizationHeader.startsWith('Bearer ')) {
        return authorizationHeader.substring(7, authorizationHeader.length)
      }
      return null
    }


    // Validate that JWT token has correct format: header.payload.signature (for example: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNjI0OTkyMDAwLCJleHAiOjE2MjI1MDAwMDB9.TldRGokRHJvG69SefbxIqAlQ6nnco6aLa3y7jsYXHMI")
    function validateJWT(token) {
      const [header, payload, signature] = token.split('.')


      if (!header || !payload || !signature) {
        throw new Error('Invalid JWT format')
      }


      // Decode the JWT payload and header to JSON
      const decodedHeader = JSON.parse(atob(header))
      const decodedPayload = JSON.parse(atob(payload))


      // Here you would implement the logic to verify the JWT signature.
      // This example assumes a simple validation that just checks the payload.
      // Replace the following lines with your actual validation logic.


      // Ensure that JWT token hasn't expired (to test, try sending a request with an expired token "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNjI0OTkyMDAwLCJleHAiOjE2MjI1MDAwMDB9.TldRGokRHJvG69SefbxIqAlQ6nnco6aLa3y7jsYXHMI")
      if (decodedPayload.exp < Math.floor(Date.now() / 1000)) {
        throw new Error('JWT has expired')
      }


      // Optionally, you could add more validation checks here (issuer, audience, etc.).
      // Also, implement actual signature validation with a custom function.


      return true
    }


    // Execute the function to extract JWT token
    const jwtToken = getJWTToken(request)


    // If the token is not provided, serve 401 Forbidden
    if (!jwtToken) {
      return new Response('Missing JWT token', { status: 401 })
    }


    // Execute the function to validate the token
    try {
      const validToken = await validateJWT(jwtToken)
      if (validToken) {
        // If the token is valid, serve actual response
        // An example of a valid token that will expire in 2033 is "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNjI0OTkyMDAwLCJleHAiOjIwMDExMjAwMDB9._qgQ_TMrGfYgOoA8HtTZwEGoj8zAPWxsz8CT1jEAGzo"
        return fetch(request)
      } else {
        return new Response('Invalid JWT token', { status: 401 })
      }
    } catch (error) {
      return new Response('Error validating token: ' + error.message, { status: 500 })
    }
  }
};
Cloudflare DashboardDiscordCommunityLearning CenterSupport Portal