JWT Verify


You can use the JWT Verify filter to verify signed JWTs.

Upon successful verification, the filter removes the headers and signature of the incoming signed JWT and outputs the originally signed JWS payload. For example, when you verify the following JWS Payload :












The output is:




Note   The JWT Verify filter automatically detects whether the input JWT is signed with HMAC or asymmetric key and uses the corresponding settings. For example, you can configure the verification with HMAC and certificate; although, the filter uses the former or latter depending on the type of JWS it receives as input.

General settings

Configure the following fields on the JWT Verify window:


Enter an appropriate name for the filter to display in a policy.

Token location:

Enter the selector expression to retrieve the JWS token to be verified.

Verification using RSA/EC public keys

Optionally, configure the following fields Verify using RSA/EC public key section:

X509 certificate:

Select the certificate from the certificate store that is used to verify the payload.

Selector expression:

Alternatively, enter a selector expression to retrieve the alias of the certificate in the certificate store.

Verification using symmetric key details

Optionally, configure the following fields in the Verify using symmetric key section:


Select if you do not want to verify tokens signed with HMAC.

Shared key:

Enter the shared key that was used to sign the payload. The key should be given as a base64-encoded byte array.

Selector expression:

Alternatively, enter a selector expression to obtain the shared key. The value returned by the selector should contain:

  • Byte array (possibly produced by a different filter)
  • Base64-encoded byte array

JWK from external source:

Optionally, enter a selector expression to retrieve a JSON Web Key that can be used to verify signed tokens. The JWKs can be retrieved with the Connect to URL filter.

Related Links