Validate JSON web tokens (JWT)
Extract the JWT token from a header, decode it, and implement validation checks to verify it.
export default {  async fetch(request) {    // Extract JWT token from "Authorization: Bearer" header    function getJWTToken(request) {      const authorizationHeader = request.headers.get("Authorization");      if (authorizationHeader && authorizationHeader.startsWith("Bearer ")) {        return authorizationHeader.substring(7, authorizationHeader.length);      }      return null;    }
    // Validate that JWT token has correct format: header.payload.signature (for example: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNjI0OTkyMDAwLCJleHAiOjE2MjI1MDAwMDB9.TldRGokRHJvG69SefbxIqAlQ6nnco6aLa3y7jsYXHMI")    function validateJWT(token) {      const [header, payload, signature] = token.split(".");
      if (!header || !payload || !signature) {        throw new Error("Invalid JWT format");      }
      // Decode the JWT payload and header to JSON      const decodedHeader = JSON.parse(atob(header));      const decodedPayload = JSON.parse(atob(payload));
      // Here you would implement the logic to verify the JWT signature.      // This example assumes a simple validation that just checks the payload.      // Replace the following lines with your actual validation logic.
      // Ensure that JWT token hasn't expired (to test, try sending a request with an expired token "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNjI0OTkyMDAwLCJleHAiOjE2MjI1MDAwMDB9.TldRGokRHJvG69SefbxIqAlQ6nnco6aLa3y7jsYXHMI")      if (decodedPayload.exp < Math.floor(Date.now() / 1000)) {        throw new Error("JWT has expired");      }
      // Optionally, you could add more validation checks here (issuer, audience, etc.).      // Also, implement actual signature validation with a custom function.
      return true;    }
    // Execute the function to extract JWT token    const jwtToken = getJWTToken(request);
    // If the token is not provided, serve 401 Forbidden    if (!jwtToken) {      return new Response("Missing JWT token", { status: 401 });    }
    // Execute the function to validate the token    try {      const validToken = await validateJWT(jwtToken);      if (validToken) {        // If the token is valid, serve actual response        // An example of a valid token that will expire in 2033 is "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNjI0OTkyMDAwLCJleHAiOjIwMDExMjAwMDB9._qgQ_TMrGfYgOoA8HtTZwEGoj8zAPWxsz8CT1jEAGzo"        return fetch(request);      } else {        return new Response("Invalid JWT token", { status: 401 });      }    } catch (error) {      return new Response("Error validating token: " + error.message, {        status: 500,      });    }  },};Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark