DEV Community

Kumar Nitesh
Kumar Nitesh

Posted on

Securing Your JSON Web Tokens with JWT Schema Validation in JavaScript

JSON Web Tokens (JWTs) are a popular tool for transmitting information securely between parties. They are self-contained and can be used for authentication and authorization purposes. To ensure that JWTs are secure, it's important to validate their structure and content. One way to do this is through JWT schema validation.

JWT schema validation involves checking the token against a predefined schema to make sure it meets certain requirements. This can include checking the structure of the token, such as the presence of certain claims, the format of the claims, and the values of the claims.

In this article, we'll walk through the process of performing JWT schema validation using the popular JavaScript library, jsonwebtoken.

Here's an example JWT:


Enter fullscreen mode Exit fullscreen mode

We can decode and validate the token using jsonwebtoken like this:

const jwt = require('jsonwebtoken');
const Ajv = require('ajv');

const validateJWT = (token) => {
    try {
        // Define the expected schema for the JWT
        const schema = {
            type: 'object',
            properties: {
                sub: { type: 'string' },
                iss: { type: 'string' },
                exp: { type: 'integer' }
            required: ['sub', 'iss', 'exp'],
            additionalProperties: false

        // Decode the token and validate it against the schema
        const decodedToken = jwt.verify(token, 'secret');
        const ajv = new Ajv();
        const validate = ajv.compile(schema);
        const valid = validate(decodedToken);

        if (!valid) {
            // Handle schema validation error
            console.error('Token does not match expected schema');
        } else {
            // If the validation passes, return the decoded token
            return decodedToken;
    } catch (err) {
        if ( === 'TokenExpiredError') {
            // Handle expired signature error
            console.error('Token has expired');
        } else {
            // Handle invalid token error
            console.error('Token is invalid');
Enter fullscreen mode Exit fullscreen mode

In this example, we first define the expected schema for the JWT using the JavaScript library Ajv. The schema specifies that the JWT must contain a "sub" claim, an "iss" claim, and an "exp" claim, and that these claims must be of the correct data type (string and integer, respectively).

Next, we use the jsonwebtoken library to decode the token and verify its signature using the secret 'secret'. We then validate the decoded token against the schema using the Ajv library.

If the validation passes, we return the decoded token. If an error is thrown during the signature verification process, we catch it and log a message indicating that the token is invalid or has expired.

It's important to note that JWT schema validation is only one step in ensuring the security of JWTs. It's still possible for an attacker to manipulate the contents of a token even if it passes schema validation, so it's important to implement proper security measures such as using secure encryption algorithms and keeping encryption keys secret.

JWT schema validation is a useful tool for verifying the structure and content of JWTs. By using libraries such as jsonwebtoken and Ajv, we can easily implement JWT schema validation in our applications to ensure the security of their tokens.

Top comments (0)